On Thu, Mar 24, 2011 at 11:37:08PM -0300, Kleber Rocha wrote: > Hi, > > I have two openbsd box with pf as firewall, with heavy load I get this error > on message: > > Mar 24 19:13:29 fw01 /bsd: WARNING: mclpools limit reached; increase > kern.maxclusters > > But, both firewalls crash, How can I fix this? > > Thanks > > My sysctl.conf is configured like this: > kern.maxfiles=65536
Why are you bumping maxfiles on a firewall? > # Multipath > net.inet.ip.multipath=1 > > # carp > net.inet.carp.allow=1 > net.inet.carp.log=1 > net.inet.carp.preempt=1 > #net.inet.carp.arpbalance=1 > > net.inet.tcp.recvspace=262144 > net.inet.tcp.sendspace=262144 > net.inet.udp.recvspace=262144 > net.inet.udp.sendspace=262144 This is not doing what you think it does. Especially the UDP ones. > net.inet.tcp.keepinittime=150 > #net.inet.tcp.keepinittime=10 > net.inet.tcp.keepidle=14400 > #net.inet.tcp.keepidle=30 > net.inet.tcp.keepintvl=150 > #net.inet.tcp.keepintvl=30 > net.inet.tcp.rstppslimit=100 > #net.inet.tcp.rstppslimit=400 > net.inet.ip.redirect=1 > #net.inet.ip.redirect=0 > net.inet.ip.maxqueue=300 > #net.inet.ip.maxqueue=1000 > kern.somaxconn=128 > #kern.somaxconn=256 Wow, you're pushing a lot of buttons here that should not be pushed unless you absolutly know what you are doing. > net.inet.ip.ifq.maxlen=256 On fast systems this can normaly increased by factors of 2-4 to improve performance. > kern.maxclusters=262144 Why do you think that you can increase this value by a factor of over 40? The warning is: > Mar 24 19:13:29 fw01 /bsd: WARNING: mclpools limit reached; increase > kern.maxclusters Increase, it is not multiply! You may double the number maybe more if the warning happens again but a factor 40 will run your system out of memory. Also try to figure out where all that memory is going. I bet into the socketbuffers. You twiddled your system into death. -- :wq Claudio
