I've finally gotten around to setting up 3.3 on a test system and hopefully soon will deploy it in production.
At an operating system level, version 3.3 seems to have improved kernel memory management. My system has 512 MB of RAM. Under 3.1, I was unable to increase NMBCLUSTERS past 4096 without panicking the system at boot, nor was I able to increase NKMEMPAGES over the default maximum, allowing only 100,000 active states. We did occasionally get mclpool limit errors, so it was annoying not to be able to increase the allocation. Our active states are usually between 40-50 thousand, so the state limit was not too big of a deal, although occasionally we would hit the maximum during high load or denial of service attacks. With 3.3, I was able to set NMBCLUSTERS to 16384 with no problems, as well as increase NKMEMPAGES to twice the default. During testing, I hit 400,000 states with no issues. I could have probably gone higher but I became bored of waiting for the states to be generated ;)... As for pf, the first thing I did was incorporate a local change into the parser allowing for embedded comments within strings. I believe the accepted way to accomplish this is via string concatenation, but I find that aesthetically displeasing and involving far too many " characters. The main new feature I found myself availing of was tables. They allowed me to dramatically decrease the size of my rule set, as well as make it far less complex and easier to maintain. It is probably considerably more efficient as well. My one quibble with tables again involves the parser. I am fond of embedded comments for documentation purposes, and found it annoying that tables declared in place had to be on the same logical line and allowed no comments within the table definition. I really would have liked to do something like: table <foo> { 1.3.4.5 # blah 5.5.7.8 # bluh 3.5.8.9 # bleh } Fortunately, tables defined via an external file allow this type of in line comments, and most of my tables were fairly large so I went ahead and defined them in separate files. However, for smaller tables defined in place, this type of commenting would be useful. Kudos to all of the pf developers. I really appreciate your work... I'm hoping the next time I upgrade I'll find production ready stateful load balancing/failover :). -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768