Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em"
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts 211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 50000, adaptive.end 92000 }
set limit states 90000
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
