Re: [ipfw] Dynamic rules grow indefinitely..

Nicolae Namolovan Sat, 09 Dec 2006 10:42:19 -0800

My god ! sysctl net.inet.ip.fw.dyn_keepalive=0 seem to help !
In few minutes I got "ipfw -d list | wc -l" from 5708 to 3250 and it
continue to decrease.. 2033 now.. haha.. great.. 876 wow..
stabilizing.. now float arround 1000, perfect !


Strange, why only me(?) get this problem.. Isn't
net.inet.ip.fw.dyn_keepalive=1 by default ?

Here is mine /var/run/dmesg.boot:

Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 6.1-RELEASE-p10 #1: Tue Nov 28 19:16:58 UTC 2006
   [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GRIVEI
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz (2400.01-MHz 686-class CPU)
 Origin = "GenuineIntel"  Id = 0x6f6  Stepping = 6
 
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
 Features2=0xe3bd<SSE3,RSVD2,MON,DS_CPL,VMX,EST,TM2,<b9>,CX16,<b14>,<b15>>
 AMD Features=0x20100000<NX,LM>
 AMD Features2=0x1<LAHF>
 Cores per package: 2
real memory  = 2146304000 (2046 MB)
avail memory = 2099568640 (2002 MB)
ACPI APIC Table: <GBT    GBTUACPI>
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID:  0
cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 2
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
acpi0: <GBT GBTUACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_perf0: <ACPI CPU Frequency Control> on cpu0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
cpu1: <ACPI CPU> on acpi0
acpi_throttle1: <ACPI CPU Throttling> on cpu1
acpi_throttle1: failed to attach P_CNT
device_attach: acpi_throttle1 attach returned 6
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <serial bus, USB> at device 26.0 (no driver attached)
pci0: <serial bus, USB> at device 26.1 (no driver attached)
pci0: <serial bus, USB> at device 26.7 (no driver attached)
pci0: <multimedia> at device 27.0 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 19 at device 28.3 on pci0
pci2: <ACPI PCI bus> on pcib2
atapci0: <JMicron JMB363 SATA300 controller> port
0x6000-0x6007,0x6400-0x6403,0x6800-0x6807,0x6c00-0x6c03,0x7000-0x700f
mem 0xfa000000-0xfa001fff irq 19 at device 0.0 on pci2
ata2: <ATA channel 0> on atapci0
ata3: <ATA channel 1> on atapci0
ata4: <ATA channel 2> on atapci0
pcib3: <ACPI PCI-PCI bridge> irq 16 at device 28.4 on pci0
pci3: <ACPI PCI bus> on pcib3
pci3: <network, ethernet> at device 0.0 (no driver attached)
pci0: <serial bus, USB> at device 29.0 (no driver attached)
pci0: <serial bus, USB> at device 29.1 (no driver attached)
pci0: <serial bus, USB> at device 29.2 (no driver attached)
pci0: <serial bus, USB> at device 29.7 (no driver attached)
pcib4: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci4: <ACPI PCI bus> on pcib4
pci4: <display, VGA> at device 0.0 (no driver attached)
xl0: <3Com 3c905C-TX Fast Etherlink XL> port 0x9000-0x907f mem
0xf7008000-0xf700807f irq 18 at device 2.0 on pci4
miibus0: <MII bus> on xl0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
xl0: Ethernet address: 00:04:76:26:3c:f3
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci1: <GENERIC ATA controller> port
0xb400-0xb407,0xb800-0xb803,0xbc00-0xbc07,0xc000-0xc003,0xc400-0xc40f,0xc800-0xc80f
irq 19 at device 31.2 on pci0
ata5: <ATA channel 0> on atapci1
ata6: <ATA channel 1> on atapci1
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
atapci2: <GENERIC ATA controller> port
0xd000-0xd007,0xd400-0xd403,0xd800-0xd807,0xdc00-0xdc03,0xe000-0xe00f,0xe400-0xe40f
irq 19 at device 31.5 on pci0
ata7: <ATA channel 0> on atapci2
ata8: <ATA channel 1> on atapci2
orm0: <ISA Option ROMs> at iomem 0xc0000-0xc7fff,0xc8000-0xc87ff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ata0 at port 0x1f0-0x1f7,0x3f6 irq 14 on isa0
ata1 at port 0x170-0x177,0x376 irq 15 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
Timecounters tick every 1.000 msec
ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding
disabled, default to deny, logging disabled
ad4: 76318MB <SAMSUNG HD080HJ ZH100-41> at ata2-master SATA300
SMP: AP CPU #1 Launched!
Trying to mount root from ufs:/dev/ad4s1a



######
pciconf -lv
#####
[EMAIL PROTECTED]:0:0:  class=0x060000 card=0x50001458 chip=0x29a08086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = bridge
   subclass = HOST-PCI
[EMAIL PROTECTED]:26:0: class=0x0c0300 card=0x50041458 chip=0x28348086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:26:1: class=0x0c0300 card=0x50041458 chip=0x28358086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:26:7: class=0x0c0320 card=0x50061458 chip=0x283a8086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:27:0: class=0x040300 card=0xa0021458 chip=0x284b8086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = multimedia
[EMAIL PROTECTED]:28:0: class=0x060400 card=0x00000040 chip=0x283f8086
rev=0x02 hdr=0x01
   vendor   = 'Intel Corporation'
   class    = bridge
   subclass = PCI-PCI
[EMAIL PROTECTED]:28:3: class=0x060400 card=0x00000040 chip=0x28458086
rev=0x02 hdr=0x01
   vendor   = 'Intel Corporation'
   class    = bridge
   subclass = PCI-PCI
[EMAIL PROTECTED]:28:4: class=0x060400 card=0x00000040 chip=0x28478086
rev=0x02 hdr=0x01
   vendor   = 'Intel Corporation'
   class    = bridge
   subclass = PCI-PCI
[EMAIL PROTECTED]:29:0: class=0x0c0300 card=0x50041458 chip=0x28308086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:29:1: class=0x0c0300 card=0x50041458 chip=0x28318086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:29:2: class=0x0c0300 card=0x50041458 chip=0x28328086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:29:7: class=0x0c0320 card=0x50061458 chip=0x28368086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = USB
[EMAIL PROTECTED]:30:0: class=0x060401 card=0x00000050 chip=0x244e8086
rev=0xf2 hdr=0x01
   vendor   = 'Intel Corporation'
   device   = '82801BA/CA/DB/DBL/EB/ER/FB (ICH2/3/4/4/5/5/6), 6300ESB
Hub Interface to PCI Bridge'
   class    = bridge
   subclass = PCI-PCI
[EMAIL PROTECTED]:31:0: class=0x060100 card=0x50011458 chip=0x28108086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = bridge
   subclass = PCI-ISA
[EMAIL PROTECTED]:31:2: class=0x01018f card=0xb0021458 chip=0x28208086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = mass storage
   subclass = ATA
[EMAIL PROTECTED]:31:3: class=0x0c0500 card=0x50011458 chip=0x283e8086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = serial bus
   subclass = SMBus
[EMAIL PROTECTED]:31:5: class=0x010185 card=0xb0021458 chip=0x28258086
rev=0x02 hdr=0x00
   vendor   = 'Intel Corporation'
   class    = mass storage
   subclass = ATA
[EMAIL PROTECTED]:0:0:  class=0x010185 card=0xb0001458 chip=0x2363197b
rev=0x02 hdr=0x00
   class    = mass storage
   subclass = ATA
[EMAIL PROTECTED]:0:0:  class=0x020000 card=0xe0001458 chip=0x436411ab rev=0x12 
hdr=0x00
   vendor   = 'Marvell Semiconductor (Was: Galileo Technology Ltd)'
   class    = network
   subclass = ethernet
[EMAIL PROTECTED]:0:0:  class=0x030000 card=0xbeefdead chip=0x00d41013
rev=0x01 hdr=0x00
   vendor   = 'Cirrus Logic'
   device   = 'CL-GD5464 Laguna 3D VisualMedia Graphics Accel'
   class    = display
   subclass = VGA
[EMAIL PROTECTED]:2:0:  class=0x020000 card=0x100010b7 chip=0x920010b7 rev=0x78 
hdr=0x00
   vendor   = '3COM Corp, Networking Division'
   device   = '3C905C-TX Fast EtherLink for PC Management NIC'
   class    = network
   subclass = ethernet



#######
ifconfig
#######
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       options=9<RXCSUM,VLAN_MTU>
       inet 83... netmask 0xfffffff0 broadcast 83....
       ether 00:04:76:26:3c:f3
       media: Ethernet autoselect (100baseTX <full-duplex>)
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
       inet 127.0.0.1 netmask 0xff000000


Andrey V. Elsukov, thank you a lot !

On 12/9/06, Andrey V. Elsukov <[EMAIL PROTECTED]> wrote:

>It is a web server with ~130req/s, problems seem to start after
>upgrading to a new hardware.
>FreeBSD 6.1-RELEASE-p10

Can you show your /var/run/dmesg.boot, and output of `pciconf -lv` and ifconfig?

>After a hour it will grow more and more.. The day before yesterday I
>got 20 000 dynamic rules ;o) (I was forced to increase
>net.inet.ip.fw.dyn_max because I start to got errors in syslogs).

Try this:
# sysctl -w net.inet.ip.fw.dyn_keepalive=0

--
WBR, Andrey V. Elsukov
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



--
Best regards,
Nicolae Namolovan.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [ipfw] Dynamic rules grow indefinitely..

Reply via email to