Re: Max number of states in pf? (100k? 200k? 1M?)

Thu, 22 Sep 2005 20:33:21 -0700 

Well,

I'm running a similar setup, only Xeon 2.4 dual and running with 300k
states, the info so far is:

State Table                          Total             Rate
  current entries                    89976              
  searches                     20496469487        54332.6/s
  inserts                         98362130          260.7/s
  removals                        98272154          260.5/s


load averages:  0.87,  0.64, 
0.52                                           00:22:32
39 processes:  38 idle, 1 on processor
CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100%
idle
Memory: Real: 19M/234M act/tot  Free: 1780M  Swap: 0K/2048M used/tot

That load seems to be coming from some cron jobs, since it was around
0.2/0.3 some days ago.

HTH,
Vinicius

nate wrote:

>Greetings
>
> I don't have a good way to test generating large numbers
>of states so I was wondering for a server with 2GB of memory
>which all it does is pf how many states can it handle? I
>started with the default of 10k, exausted that pretty quick,
>then upped it to 32k about 3 weeks ago then exausted that,
>upgraded it to 90k last night, and just now I see it hovering
>at around 70k.
>
>OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em"
>interfaces(only 1 of which is being used by pf at this
>time for state info)
>
>(though between the time I saw 70k states and about
>2 minutes later it seems to have expired all but 3k
>of them)
>
>State Table                          Total             Rate
>  current entries                     2786
>  searches                     29837068755         5627.9/s
>  inserts                        211072218           39.8/s
>  removals                       211069432           39.8/s
>
>
>I do have optimization set to conservative, considering
>changing it back to normal. I am mostly concerned about
>hitting some sort of magic internal kernel memory limit and
>crashing the box. I don't know if there is such a limit,
>from what I have read I can't find any evidence that there
>is.
>
>Currently the boxes(running pfsync) are running at around
>3-4% cpu usage.
>
>running:
>set optimization conservative
>set timeout { adaptive.start 50000, adaptive.end 92000 }
>set limit states 90000
>
>Can I run with 200k states? 500k ? 1M states? 'top' reads
>1833MB of memory is available. The docs say that 32MB
>is enough for ~30k states. so in theory memory wise at
>least this box should be able to handle at least
>1.6M states. Not that I plan to keep that much!
>
>there are about 100 servers on the inside of the firewall and
>about 250 on the outside(probably will double that in the
>next 6 months or less).
>
>thanks
>
>nate

Reply via email to