Re: Max number of states in pf? (100k? 200k? 1M?)
Ted Unangst said: > states are only allocated on demand. you could set the limit to a billion > with no problem until you actually start using too many states. the limit > is there to protect you from the firewall imploding. thanks for all the info, very useful! hopefully such info can get added to the docs at some point, since others have contacted me as well asking similar questions. thanks a lot(again) nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On Fri, 23 Sep 2005, nate wrote: > ok thats the kind of info I wanted to hear, so kernel > space can go up to ~300MB ? is this a tunable > paramter anywhere or is it hard coded? it is actually 768MB on i386, but you can't use anywhere close to all of it for pf states. it is hard coded. > is this a "low memory" vs "high memory" thing? if so is > there a good way to monitor "low memory" on openbsd? > I tried doing some google searches and all I found was > people running out of memory. there is no way i know of to monitor it. what matters is not memory, but address space. > also one last Q - when you allocate memory for states > in the pf config, say I allocate for 200k states does > that allocation happen when the config is loaded or > is it dynamic? Just wondering if I do exceed the limit > should I expect it to misbehave immediately upon > reload(even if it isn't holding that many states) or > not until it actually hits the state limit. states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. -- And that's why your software sucks.
Re: Max number of states in pf? (100k? 200k? 1M?)
mistakenl did not send this to the list originally -- Ted Unangst said: > if it's 1k states per MB RAM, you're into trouble at 300k. the kernel only has so much space to play in. ok thats the kind of info I wanted to hear, so kernel space can go up to ~300MB ? is this a tunable paramter anywhere or is it hard coded? is this a "low memory" vs "high memory" thing? if so is there a good way to monitor "low memory" on openbsd? I tried doing some google searches and all I found was people running out of memory. e.g. on linux HighTotal: 3276224 kB HighFree: 543892 kB LowTotal: 814956 kB LowFree:612496 kB also one last Q - when you allocate memory for states in the pf config, say I allocate for 200k states does that allocation happen when the config is loaded or is it dynamic? Just wondering if I do exceed the limit should I expect it to misbehave immediately upon reload(even if it isn't holding that many states) or not until it actually hits the state limit. thanks nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On 9/22/05, nate <[EMAIL PROTECTED]> wrote: > Greetings > > I don't have a good way to test generating large numbers > of states so I was wondering for a server with 2GB of memory > which all it does is pf how many states can it handle? I > started with the default of 10k, exausted that pretty quick, > then upped it to 32k about 3 weeks ago then exausted that, > upgraded it to 90k last night, and just now I see it hovering > at around 70k. > > OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em" > interfaces(only 1 of which is being used by pf at this > time for state info) Been wondering what the max states are myself. I've got a 3.7 firewall box set up that's currently routing around 20-30Mb/s (with a pps rate of round 2.5 -3k), and I've seen state table entries over 100k a couple of times. I went ahead and set my limit at 200k, and we've not yet approached that, so I'm just watching it to see if I need to up it some more. As far as general resources, the box itself is bored silly. I especially like that the interrupts have consistently stayed at zero (though I'll admit it's got good I/O - Gigabit Ethernet cards installed in 133Mhz PCI-X slots, which is really the only way to go). State Table Total Rate current entries85143 searches 23873195139 6541.3/s inserts393193087 107.7/s removals 393107944 107.7/s load averages: 0.09, 0.11, 0.08 22:54:30 36 processes: 35 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.8% idle Memory: Real: 17M/151M act/tot Free: 853M Swap: 0K/2048M used/tot No worries so far.
Re: Max number of states in pf? (100k? 200k? 1M?)
Well, I'm running a similar setup, only Xeon 2.4 dual and running with 300k states, the info so far is: State Table Total Rate current entries89976 searches 2049646948754332.6/s inserts 98362130 260.7/s removals98272154 260.5/s load averages: 0.87, 0.64, 0.52 00:22:32 39 processes: 38 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 19M/234M act/tot Free: 1780M Swap: 0K/2048M used/tot That load seems to be coming from some cron jobs, since it was around 0.2/0.3 some days ago. HTH, Vinicius nate wrote: >Greetings > > I don't have a good way to test generating large numbers >of states so I was wondering for a server with 2GB of memory >which all it does is pf how many states can it handle? I >started with the default of 10k, exausted that pretty quick, >then upped it to 32k about 3 weeks ago then exausted that, >upgraded it to 90k last night, and just now I see it hovering >at around 70k. > >OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em" >interfaces(only 1 of which is being used by pf at this >time for state info) > >(though between the time I saw 70k states and about >2 minutes later it seems to have expired all but 3k >of them) > >State Table Total Rate > current entries 2786 > searches 29837068755 5627.9/s > inserts211072218 39.8/s > removals 211069432 39.8/s > > >I do have optimization set to conservative, considering >changing it back to normal. I am mostly concerned about >hitting some sort of magic internal kernel memory limit and >crashing the box. I don't know if there is such a limit, >from what I have read I can't find any evidence that there >is. > >Currently the boxes(running pfsync) are running at around >3-4% cpu usage. > >running: >set optimization conservative >set timeout { adaptive.start 5, adaptive.end 92000 } >set limit states 9 > >Can I run with 200k states? 500k ? 1M states? 'top' reads >1833MB of memory is available. The docs say that 32MB >is enough for ~30k states. so in theory memory wise at >least this box should be able to handle at least >1.6M states. Not that I plan to keep that much! > >there are about 100 servers on the inside of the firewall and >about 250 on the outside(probably will double that in the >next 6 months or less). > >thanks > >nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On Thu, 22 Sep 2005, nate wrote: > Can I run with 200k states? 500k ? 1M states? 'top' reads > 1833MB of memory is available. The docs say that 32MB > is enough for ~30k states. so in theory memory wise at > least this box should be able to handle at least > 1.6M states. Not that I plan to keep that much! if it's 1k states per MB RAM, you're into trouble at 300k. the kernel only has so much space to play in. -- And that's why I always keep a bottle of acid handy at my bedside.
Max number of states in pf? (100k? 200k? 1M?)
Greetings I don't have a good way to test generating large numbers of states so I was wondering for a server with 2GB of memory which all it does is pf how many states can it handle? I started with the default of 10k, exausted that pretty quick, then upped it to 32k about 3 weeks ago then exausted that, upgraded it to 90k last night, and just now I see it hovering at around 70k. OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em" interfaces(only 1 of which is being used by pf at this time for state info) (though between the time I saw 70k states and about 2 minutes later it seems to have expired all but 3k of them) State Table Total Rate current entries 2786 searches 29837068755 5627.9/s inserts211072218 39.8/s removals 211069432 39.8/s I do have optimization set to conservative, considering changing it back to normal. I am mostly concerned about hitting some sort of magic internal kernel memory limit and crashing the box. I don't know if there is such a limit, from what I have read I can't find any evidence that there is. Currently the boxes(running pfsync) are running at around 3-4% cpu usage. running: set optimization conservative set timeout { adaptive.start 5, adaptive.end 92000 } set limit states 9 Can I run with 200k states? 500k ? 1M states? 'top' reads 1833MB of memory is available. The docs say that 32MB is enough for ~30k states. so in theory memory wise at least this box should be able to handle at least 1.6M states. Not that I plan to keep that much! there are about 100 servers on the inside of the firewall and about 250 on the outside(probably will double that in the next 6 months or less). thanks nate