Date: Thu, 07 Nov 2013 10:48:17 +0200 From: Ian FREISLICH <ianf@clue.co.za> To: Rumen Telbizov <telbizov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF sanity check Message-ID: <E1VeLGD-0003Ua-LB@clue.co.za> In-Reply-To: <CAENR%2B_XPs41CLt1NiN%2Bkzf2PGSR6hOKh1mng9imqPx0O0noQeA@mail.gmail.com> References: <CAENR%2B_XPs41CLt1NiN%2Bkzf2PGSR6hOKh1mng9imqPx0O0noQeA@mail.gmail.com> <CAENR%2B_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com> <201310270128.47766.vegeta@tuxpowered.net> <CAENR%2B_VpxkefiYNoeOQ-3hLA86jt08tgy8Yn=rTzOdCqi45Y2A@mail.gmail.com> <201310272303.24096.vegeta@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Rumen Telbizov wrote:
> Yeah, only the number of states was my concern. On a related note what
> is the maximum number of states that you have been able to sustain and
> in what amount of memory? I know it's pretty low memory overhead but
> still. In other words how much memory per state is being consumed by
> PF? Currently I am prepared to start with 200K states and the router
> has 24GB or RAM. What is a reasonable maximum that I can expect to be
> able to handle? I am monitoring closely (nagios + graphite) those
> states as well btw.
You can increase the states hash table if you have lots of states.
I've not managed to find a tuning guide with recomendations.
net.pf.states_hashsize: Size of pf(4) states hashtable
We use 1048576.
The state table can grow quite large depending on your network.
Make sure that you set options in pf.conf to prevent states being
expired prematurely.
We use:
set timeout { \
adaptive.start 900000, \
adaptive.end 1800000 \
}
set limit states 1500000
set limit frags 40000
Our high water mark is around 950000 states. The router has 16GB
RAM and has a full Internet routing table and we've never run into
memory issues.
Mem: 311M Active, 759M Inact, 1936M Wired, 1647M Buf, 13G Free
Ian
--
Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1VeLGD-0003Ua-LB>