Date: Sun, 18 May 2008 17:26:36 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Vivek Khera <vivek@khera.org> Cc: freebsd-ipfw@freebsd.org, FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: how much memory does increasing max rules for IPFW take up? Message-ID: <Pine.BSF.3.96.1080518154815.1845A-100000@gaia.nimnet.asn.au> In-Reply-To: <BC5FAC20-572B-4D50-92A3-609B3C398712@khera.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 16 May 2008, Vivek Khera wrote: > How are the buckets used? Are they hashed per rule number or some > other mechanism? Nearly all of my states are from the same rule (eg, > on a mail server for the SMTP port rule). /sys/netinet/ip_fw.h /sys/netinet/ip_fw2.c Hashed per flow, (srcip^destip^srcport^dstport) mod curr_dyn_buckets, so packets for both directions of a given flow hash to the same bucket. In the case you mention, you could likely expect reasonable distribution by src_ip/src_port. The rule number doesn't contribute to the hash, but is contained in the dynamic rule entry, ie a matched flow resolves to its rule at the first check_state or keep_state rule encountered. Try searching for '_STATE'. Each bucket just contains a pointer, so on i386 I'd expect 1KB per 256 buckets, see realloc_dynamic_table. The 'pointees', ipfw_dyn_rule, are around 70? bytes each with 32-bit pointers, so 4K current dynamic rules should use around 280KB? Somebody yell if I'm badly miscalculating .. > How should I scale the buckets with the max rules? The default seems > to be 4096 rules and 256 buckets. Should I maintain that ratio? Sounds reasonable. Extra buckets look cheap, if I'm reading it right, and memory otherwise appears to be only allocated on use, per new flow, but I'm ignorant of any other memory allocation overheads. caveats: 5.5 sources; C is read-only here; not subscribed to -ipfw cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080518154815.1845A-100000>