My feeling is more and more that somehow, ipfilter resources are
exhausted and there is no warning about it.
So the question is: how to track those resources use against the maximum
value, and know when adjustments are in order?
Would it be possible to have that information in the stats (eg, In use:
9999 out of 10000)? Any "official" way to do so? docs.sun.com doesn't
seem to contain much about this.
Thanks,
Laurent
Le 02/01/10 17:37, Laurent Blume a écrit :
Hi all,
I'm on a recently patched Solaris 10 U8 x86. Since a few weeks back (Dec
24th from the logs), every night, ipfilter starts dropping all packets.
Of course, perfectly valid rules that have been working for years allow
them, and there has been no change in them for months.
Unfortunately, the system is remote, so from my point of view, it just
drops off the network. However, I had someone locally check that it's
still running normally. The logs show the same.
I'm trying to check if there's not a shortage of state buckets, but I'm
a bit unsure here where to look.
I know those system tunables for S10:
set ipf:fr_statemax = 7000
set ipf:fr_statesize = 10009
set ipf:ipf_nattable_sz = 10009
However, where to check how much of those are actually used? ipfstat -s
and ipnat -s probably show them, but *which* value exactly matches those?
