Zurek, Patrick wrote:
Hi everyone,
I have a question about running ipfilter on a large Sunfire 15k
domain. We currently run it on all our smaller servers, and even a
(relatively) smaller 15k domain and we're pleased with its
performance. However, we have some concerns about putting it on our
largest Solaris 8 15k domain.
Specifically, the domain tends to have anywhere from 6000-12000
simultaneous established TCP connections and is allocated 96 GB of
RAM. Many of these connections tend to remain established throughout
the day. With stateful inspection in ipfilter, are we likely to run
into any performance problems or memory issues? Unfortunately, we
don't have a test machine of this size, or usage pattern, to test this
on prior to implementation.
Each ip state structure is 648 bytes on my amd64 system. 20k
connections will only take up 1.3 MB of memory.
I don't know of the performance penalty of running with the many
connections though.
The second question I have is in regards to the size of the state
table. The FAQ Question # III.25: "How do I enlarge the state table?
What else should be tweaked for high-stress installs?" recommends
modifying the #defines IPSTATE_SIZE and IPSTATE_MAX to enlarge the
state table. Will I need to do this, and secondly, what is a
reasonable value to change them to?
I'm not sure about Solaris 8 and older versions of IP Filter but with
the version we have with Solaris 10,
"#ipf -T list" gives:
...
fr_statemax min 0x1 max 0x7fffffff current 4013
fr_statesize min 0x1 max 0x7fffffff current 5737
...
and also provides the mechanism to change those values
#ipf -T fr_statemax=20000
#ipf -T fr_statesize=20000
older versions probably required a recompile.
-Mike
