From owner-freebsd-pf@FreeBSD.ORG Thu Nov 7 08:48:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BF98A514 for ; Thu, 7 Nov 2013 08:48:33 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 589B5268B for ; Thu, 7 Nov 2013 08:48:33 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id ex4so271511wid.9 for ; Thu, 07 Nov 2013 00:48:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:cc:from:subject:in-reply-to:references:date :message-id; bh=dc/x7XLCOxdDF9ucx6XuHVWtctYec8DLxdewu579eqw=; b=fha7RIHA3CJfUUwZ+jPz374rUQKqHtZmlD8PxhaR0rVD7jZaRy7t/Rw03yhbc/U2+n TVEH5gCvAkBqS7ZsAZ04k+XsQGc2sgGn42j+qWrdi61uR+8MSQ2nySon+cYsGJAxFtr8 BToLyEr+8SLP7oRSTvtQQuOMm3rpkkj2/G5e/6Vr6zcKJX3B8q6B5yLzRxwtATvBz8ca A1qvh5eHjhNxdPn9T58fYrnvm7MWr78en4dJroWBEMk5kSJK7sorXQf3pIdcRn1Mu7Ce g9rb2F7Iw4hNr7oiVWgP1IOB3+yjUy2zemUcRP6byTkTljsjwCyKQLPmNikV2U02PZ4C Mxyg== X-Gm-Message-State: ALoCoQme1CzRFgHTnAHMSrpe0QF2Z+7tvSHPu2cT6f/U88s/KtiqMEpfGXLoMzrx/95ndfWQ89Aw X-Received: by 10.194.104.66 with SMTP id gc2mr242243wjb.75.1383814106118; Thu, 07 Nov 2013 00:48:26 -0800 (PST) Received: from clue.co.za (41-135-65-48.dsl.mweb.co.za. [41.135.65.48]) by mx.google.com with ESMTPSA id c10sm33938631wie.11.2013.11.07.00.48.22 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Nov 2013 00:48:25 -0800 (PST) Received: from localhost ([127.0.0.1] helo=zen) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VeLGD-0003Ua-LB; Thu, 07 Nov 2013 10:48:17 +0200 To: Rumen Telbizov From: Ian FREISLICH Subject: Re: PF sanity check In-Reply-To: References: <201310270128.47766.vegeta@tuxpowered.net> <201310272303.24096.vegeta@tuxpowered.net> X-Attribution: BOFH Date: Thu, 07 Nov 2013 10:48:17 +0200 Message-Id: Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Nov 2013 08:48:33 -0000 Rumen Telbizov wrote: > Yeah, only the number of states was my concern. On a related note what > is the maximum number of states that you have been able to sustain and > in what amount of memory? I know it's pretty low memory overhead but > still. In other words how much memory per state is being consumed by > PF? Currently I am prepared to start with 200K states and the router > has 24GB or RAM. What is a reasonable maximum that I can expect to be > able to handle? I am monitoring closely (nagios + graphite) those > states as well btw. You can increase the states hash table if you have lots of states. I've not managed to find a tuning guide with recomendations. net.pf.states_hashsize: Size of pf(4) states hashtable We use 1048576. The state table can grow quite large depending on your network. Make sure that you set options in pf.conf to prevent states being expired prematurely. We use: set timeout { \ adaptive.start 900000, \ adaptive.end 1800000 \ } set limit states 1500000 set limit frags 40000 Our high water mark is around 950000 states. The router has 16GB RAM and has a full Internet routing table and we've never run into memory issues. Mem: 311M Active, 759M Inact, 1936M Wired, 1647M Buf, 13G Free Ian -- Ian Freislich