Unable to fsck after crash - cannot alloc 30231937 bytes for typemap
Hello folks - My OpenBSD 4.1/i386 firewall crashed last week(seems to be on the 31st), fortunately it did not stop passing packets. There is no log and the console didn't show anything(serial console). I rebooted it today, and it came up in single user mode telling me to run fsck manually, which I tried, but it fails within 2 seconds: # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a cannot alloc 30231937 bytes for typemap I ran a couple searches and came across this: http://www.openbsd.org/faq/faq14.html#LargeDrive which states "[..]A rough guideline is the system should have at least 1M of available memory for every 1G of disk space to successfully fsck the disk." The filesystem is 228G (disks are 250GB in hardware raid 1) I have 768MB of memory in the machine - real mem = 804859904 (785996K) avail mem = 726327296 (709304K) That is more than triple the amount of memory that the docs say is needed to check a disk of this size, yet it still fails. if I exit out and continue booting it won't let me fsck from multiuser (I expect it would of since the volume is mounted read-only) # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a (NO WRITE) ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=21267992 (448 should be 384) CORRECT? no PARTIALLY TRUNCATED INODE I=21267993 SALVAGE? no INCORRECT BLOCK COUNT I=21267996 (8864 should be 8832) CORRECT? no INCORRECT BLOCK COUNT I=21267997 (1152 should be 1120) CORRECT? no INCORRECT BLOCK COUNT I=21267998 (244 should be 128) CORRECT? no INCORRECT BLOCK COUNT I=21268001 (168 should be 160) CORRECT? no INCORRECT BLOCK COUNT I=21268002 (40 should be 32) CORRECT? no [..] Hardware: Intel P3-800 (don't recall what motherboard) 768MB memory 3Ware 8006-2 RAID controller 2 x 250GB Western Digital Raid edition drives in RAID 1 3COM 3c59x PCI 10/100 NIC(management) Intel 4 port 10/100 NIC (DEC 21142/3 chipset) - 2 ports are for a bridging firewall, the other 2 are not used The system ran fine for several weeks, it was about a week after I enabled several rsnapshot jobs that it seemed to crash. I'm not as concerned right now about the crash but of course the inability to run fsck. Any suggestions? thanks nate
Re: Unable to fsck after crash - cannot alloc 30231937 bytes for typemap
Otto Moerbeek wrote: > go to single user mode, and type > > ulimit -dH unlimited > > and then run fsck > thanks for the quick reply! but that particular command had no effect: [..] root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 WARNING: / was not properly unmounted Automatic boot in progress: starting file system checks. /dev/rsd0a: INCORRECT BLOCK COUNT I=21267992 (448 should be 384) (CORRECTED) PARTIALLY TRUNCATED INODE I=21267993 /dev/rsd0a: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY. Automatic file system check failed; help! Enter pathname of shell or RETURN for sh: Terminal type? vt100 # ulimit -dH unlimited # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a cannot alloc 30231937 bytes for typemap # ulimit -a time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 65536 stack(kbytes)4096 lockedmem(kbytes)236424 memory(kbytes) 705612 nofiles(descriptors) 64 processes80 # however just ulimit -d unlimited worked # ulimit -d unlimited # ulimit -d 1048576 # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=21267992 (448 should be 384) CORRECT? yes PARTIALLY TRUNCATED INODE I=21267993 SALVAGE? yes INCORRECT BLOCK COUNT I=21267996 (8864 should be 8832) CORRECT? yes INCORRECT BLOCK COUNT I=21267997 (1152 should be 1120) CORRECT? yes [..] thanks!! nate
Re: Quad ethernet card
Fredrik Carlsson wrote: > Hi, > > I'm planing to set up a new firewall and have a few questions about what > quad ethernet cards people recommend? > The server will probably be a Dell PE860 (they seem to be well supported > by OpenBSD), but what quad cards should i buy? what cards have good > performance? While I was personally somewhat disapointed with the performance it was still pretty fast, the Intel Pro 1000 GT quad port: http://www.intel.com/network/connectivity/products/pro1000gt_quadport_server_adapter.htm I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. Interrupt cpu time was ~30%, the rest of the cpu was idle. CPU was I think single proc Xeon 3.6Ghz(dual proc supermicro motherboard for multiple PCI-X busses and stuff). I expected to be able to peg the CPU, but no matter how hard I hit it, it wouldn't go higher than ~30%. All in all the systems had 8 Intel GigE ports, a dual port PCI-X, a quad port PCI-X, and two onboard. It didn't matter what config I used, if the bridge was on one card or more than one, if it was going across one IRQ or two, the system wouldn't go higher than ~520Mbps. I was hoping to be able to get at least 1Gbps, if not 2Gbps. (the firewalls had two bridges serving different network segments). Redundancy was provided by OSPF on the switches. The systems were connected to fairly hefty Extreme Black Diamond 10808s, when I removed the bridge and just connected the switch back to itself(layer 3 virtual switching), throughput went up to around 900Mbps (I think I hit a limitation on the servers I was testing with at that point). I sent a few posts to the list back at the time, probably May-June 2005, I don't work at that company anymore so I don't recall exact specifics on everything. nate
Re: Quad ethernet card
Henning Brauer wrote: > * nate <[EMAIL PROTECTED]> [2007-06-05 21:44]: >> I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and >> was able to get a peak throughput of about 520Mbps in bridged mode >> (pf disabled) measured using iperf. > > the single-stream tcp test iperf uses is pretty meaningless > (unless.. well, that's another story) > >> Interrupt cpu time was ~30%, the rest of the cpu was idle. hmm, well I would expect this would provide a maximum number for throughput because there's only 1 connection, no extra processing vs multiple connections, not that multiple connections should matter since it was a bridge, and pf was disabled for the test. It doesn't make sense to me why more connections would increase throughput, can you(or someone) explain why this would be the case. I also would expect that this maximum number likely would not be achieved once pf is enabled and 'real world' traffic was flowing through the system keeping track of thousands of states from the ~400 hosts on both sides of the firewall. But at least it would give me a number, if I saw the same interrupt cpu% I could reasonably expect the box to be maxxed out. Fortunately normal network traffic was quite low, the biggest users of bandwidth were file copies via scp/rsync. Someone replied to my original post off-list and told me about a bug that was fixed in 2006 in the Intel GigE network driver that reduces the amount of pci hits per packet thus increasing throughput and packets per second, which may have contributed to the performance issue I experienced(again in mid 2005). Of course at the time I partipated in a thread very similar to this and I don't recall anyone responding with their openbsd network performance, so I had nothing to base it on(were the numbers normal? low ? high?). The FAQ says it's dependent on the system, and I purchased the fastest 32-bit CPU that was on the market at the time(64-bit was still too new I think that was (one of) the first releases to support 64-bit x86), and OpenBSD SMP crashed on all machines I tested at the time during boot). Even now I think I've gotten one response(may of been off-list) saying they get less than 500Mbit on their card(forgot which card off hand, not the Intel one though). So regardless of the performance I think it was about as fast as it was going to get, at the time. Short of absurdly low numbers (under 200Mbit, which I would of purchased a fully hardware firewall, we had just purchased 3000 gigabit switch ports so we were spending a bit), I was going to stick with OpenBSD because pf is a great tool, and easy to use, and the hardware was a good price too with hardware raid, triple redundant power supplies (each on a seperate UPS-backed circuit), hot swap fans etc. In the end the firewalls seemed to work out well, it's been 2 years since they launched and they haven't had a problem, fortunately network traffic is fairly low. Two firewalls are in active use(for different network segments, and are failover for each other's network segments), with a 3rd cold standby server. tcpreplay sounds like an interesting tool, I had not heard about it until your post. nate
Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
> ah, actually I think this one (which only affected numbers in
> a macro; strings worked ok) was already fixed. on -current:
>
> $ pfctl -nvf -
> ssh = "22"
> ssh = "22"
> smtp= "25"
> smtp = "25"
> penguin = "216.39.174.25"
> penguin = "216.39.174.25"
> penguin_ports = "{" $ssh $smtp "}"
> penguin_ports = "{ 22 25 }"
Excellent! great to hear, thanks a bunch for your help.
nate
Re: syslogd -a question
Alexander Hall wrote: > From looking at the source, I'd guess that tweaking > /usr/src/usr.sbin/syslogd/syslogd.h and set MAXFUNIX to a larger number > than 21 should be pretty straightforward. I'm not in the position to say > whether large numbers would be appropriate though, for example by some > limitation of poll(2). How about one /dev/log and multiple hard links going to it? Last time I worked with chroot environments was about 7 years ago but I had a script that built the environments using hard links for the users, and it seemed to work well. Of course I believe that the hard link must be on the same file system as the target. [EMAIL PROTECTED]:/tmp]# ln /dev/log . [EMAIL PROTECTED]:/tmp]# ls -il /dev/log /tmp/log 89638 srw-rw-rw- 2 root wheel 0 Aug 3 10:34 /dev/log 89638 srw-rw-rw- 2 root wheel 0 Aug 3 10:34 /tmp/log [EMAIL PROTECTED]:/tmp]# nate
Re: contact info for PC Weasel?
Brian A. Seklecki wrote: > On Wed, 2008-08-06 at 13:58 -0700, Chris Cappuccio wrote: >> spend your money on a motherboard with serial console. like a supermicro >> board or something. you'll be happier. > > No offense but: No. No you wont. Unless you have IPMI or something > like Dell's DRAC (4, not 5 -- 5 sux big time). Normal serial console works great for me. There are some quirks, I've encountered a few on Dell systems, HP seems quite a bit better. Most of my boxes are Linux, and the Dell bios with "redirect after POST" conflicts with the serial console settings in the boot loader, so as part of the automated system installation it detects what model# the installer is running on, and if it's an affected system the installer disables the serial console settings on the boot loader to work around the BIOS bug(but keeps the serial console enabled elsewhere like remote tty). Haven't had a chance to mess with DRAC v4 yet, but DRAC v5 works alright, though I have to reboot it more often than I had to reboot the HP iLO (or HP iLO 2). The supermicro premium management card is pretty nice too though last I checked you had to have a browser to get to the console, no SSH access. Earlier versions had an SSH daemon, but none of the commands worked once I got logged in. A few years ago when I had a lot more supermicro systems I got them to fix some of their bios bugs that were the same as the Dell - they conflicted with the boot loader. I'm told by my co workers that Dell support is pretty worthless so I just work around it on my end instead. I also make sure to disable all frame buffers, which is pretty easy. I do like how the newer HP systems auto detect what console port your on, even our latest Dell boxes we seem to have to go into the bios and enable serial redirection before we can get remote serial access via DRAC 5. I don't use the KVM stuff as it wants java, and a web browser etc unless I absolutely have to. 99.9% of the stuff I need the console for plain text serial is fine (and faster/easier to get to over SSH). My OpenBSD systems are installed by hand, fortunately the installer is good about asking about serial consoles during installation, makes it pretty easy too. For what looks like about $300, this mini terminal server can probably provide good remote access to a system with a serial port(assuming you only need 1, if you need lots of ports get a bigger model): http://www.avocent.com/CycladesTS100.aspx I haven't used that model myself, but have used tons of ACS-32 and ACS-48s. (before Cyclades was bought by Avocent, I hear since they have started to charge extra for a lot of the things that were free before). nate
pf macro behavior change between 4.1 and 4.3?
Hello there ..
I am in the process of building a new OpenBSD 4.3 system in
parallel to my existing 4.1 system and ran into a little
glitch with regards to migrating my pf rule set to the new
system.
It seems that in 4.3, macros that expand to ports with
variables doesn't work anymore. I get a syntax error. I've
been using this since about 3.6, so didn't expect it to
break.
I've stripped the firewall config down to as basic as I can
make it, to reflect the behavior:
--begin firewall config--
external = fxp5
ssh = "22"
smtp= "25"
penguin = "216.39.174.25"
penguin_ports = "{" $ssh $smtp "}"
pass in quick on $external \
proto tcp \
from any\
to $penguin \
port $penguin_ports \
flags S/SA \
keep state
--end firewall config--
(my original firewall config is about 370 lines, this is just
the bare minimum to repro the behavior)
If I try to validate the config with pfctl under 4.1 it
validates no problem, if I try under 4.3 I get:
pf.conf_small:5: syntax error
pf.conf_small:10: macro 'penguin_ports' not defined
pf.conf_small:11: syntax error
I have other macros that have variables in them, which expand
to IP addresses instead of port numbers and those validate
no problem in 4.3.
I looked at the web-based changelog of 4.1->4.2 and 4.2->4.3
but didn't notice anything that might trigger this. I also
re-checked the FAQ and from what I can tell what I am
doing is still valid.
any ideas?
thanks
nate
Re: pf macro behavior change between 4.1 and 4.3?
Vasile Cristescu wrote:
> Hello,
> penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
> penguin_ports = "{" $ssh, $smtp "}"
Thanks for the quick reply! I just tried your suggestion but I get
the same syntax error. The faq doesn't mention commas either(for
recursive macros):
http://www.openbsd.org/faq/pf/macros.html
thanks again
nate
Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
> The pfctl-based config parsers were re-unified between 4.2 and
> 4.3, most things just work but there are some uncommon cases
> which used to work that don't now.
Ok thanks! Do you happen to know if there are plans to fix the
uncommon cases at some point? It seems like this particular
behavior wouldn't be intentional.
> For this in particular, you can simplify. Port names are looked
> up from /etc/services; just write "{ ssh, smtp }". The comma is
> optional - see op-list in BNF of pf.conf(5) - but imo makes it
> easier to read (as does removing unnecessary macros).
Nice, that works well. I do have a few ports that are not
in /etc/services but I can hard code them without a recursive
macro, not a big deal. (rather than worry about having to
update /etc/services when I replicate my config between systems)
> pfctl/pf.conf probably could have done with an explicit
> mention, but on plus43.html you find "Improvements in the
> common parser code generator for various OpenBSD daemons"
> which is meant to cover this too.
Ok, good to know.
I appreciate the quick response! thanks a bunch
nate
Tuning gigabit bridging firewall for better performance
Hello -- I am testing out a couple of new firewalls running openbsd 3.6 (plan to upgrade to 3.7 soon), I did some searches to see what kind of performance I can expect and didn't come up with much other than one posting where a guy got more than 800Mbit of throughput. Currently I am testing with pf disabled, just bridging the traffic to take pf out of the picture. Without bridging the traffic I get about ~700Mbit of throughput. When I bridge the traffic it peaks at ~500Mbit(as measured by iperf between 2 linux hosts) CPU spends approx 20-40% servicing interrupts according to top. I was expecting similarly good results(at least closer to wire speed) as the poster who got 800Mbit+ of throughput as my hardware is approx twice as fast as his(he had a 1.8Ghz Xeon) system specs: Supermicro 6034HX8R Motherboard Intel Xeon EM64T 3.4Ghz 1MB Cache(1 CPU) 2GB PC3200 Registered ECC DDR-II Memory ICP Vortex SCSI Raid card with 128MB Cache - 4 x 36GB U320 10k RPM SCSI disks in raid 10 Dual onboard Intel GigE network cards(em driver) Dual port PCI-X Intel GigE network card(em driver) Quad port PCI-X Intel GigE network card(em driver) I have both interfaces on the dual port PCI card bridged, and both pairs of interfaces on the quad port bridged. Performance does not vary between the dual port PCI-X and the quad port PCI-X. I was hoping with the dual and quad port cards that it would reduce interrupt hits if both ends of the bridge are on the same card. I haven't tried crossing the bridge between the two cards yet. while this performance is acceptable, I was hoping for some tips on getting it closer to wire speed, or reducing interrupt usage. Since I don't seem to be CPU bound(~70% idle) perhaps it is network driver related? Is there a better driver to use? Or a better network card? thanks nate
Re: Tuning gigabit bridging firewall for better performance
Tony Sarendal said: > When it comes to network performance most plattforms have limitations in > packets per second before bandwidth. Please post the performance in pps > also, > as that is more interesting and more relevant, especially in the GigE case. I don't see a way in iperf to get this stat, I will try to find another tool, I did a crude test which basically involved clearing the counters on my switch, using a stop watch and measuring the time period. the results were approx 43,000 pps (1467476 packets sent, 718984 recieved during the 1.7GByte test), throughput was 400Mbit > The fastest pc os around according to google is FreeBSD which has broken the > 1Mpps limit on pc hardware (2.8 GHz Xeon), but that is not wirespeed. yeah I remember reading that news when they first broke that > If you expect to see wire speed your box has to handle 1.5Mpps, for just one > direction GigE. What kind of pps numbers are you seeing ? not really expecting wire 1Gbit speed, just closer to the wire speed I am getting (~700Mbit) without the bridge. as-is I am getting 200-300Mbit less vs going raw over the switch. I will try to look for another tool, if you or anyone has any suggestions let me know thanks nate
Re: Tuning gigabit bridging firewall for better performance
Tony Sarendal said: > Now about netstat on your openbsd box ? > netstat -I -w10 I will try that tomorrow, thanks! also any opinions whether or not the amd64 port of openbsd may perform better ? even though I'm running a cheap hack of the amd64 platform(EM64T). I wanted to go full opteron though my vendor could not find a SCSI raid card that ran stable under openbsd on opteron, so I went with Xeons for these firewalls. nate
Re: A Business Case for integrating OpenBSD into IT Infrastructures
mdff said: > hi misc@, > > which hardware r u talking about for example? we'd like > to use such "real" servers, but we can't decide what vendor > to choose. we definitely do not want to "build" our own > server (taking the raid controller from vendor x and the > disks from vendor y, having an overkill xeon mabo from z > and so on). we'd like to have on-site hw-support at least > next day (being in austria this is not possible with all > the big "server-sellers") for my new firewalls I am using servers from a company called ASA Computers in california. They work well, I told them I wanted an openbsd firewall with specs and they supplied some good ones(raid card required a firmware upgrade) Supermicro 3U chassis with triple redundant power supplies(hot swap of course) Dual Xeon motherboard with 1 3.4Ghz EM64T CPU 2GB memory 4x36GB U320 SCSI disks in hardware raid 10 ICP Vortex raid card 128MB cache Hot swap drive bays cdrom floppy lots of big fans 8 network interfaces $4100 (price from 1/25/2005) > > our favourite was/is HP's DLxxx series, but mickey@ is > working on the ciss-port for their storage controllers and > we don't know when it's stable for production use... I tried openbsd 3.6 I think in a DL360G3 and it did not boot. I recently moved my company away from HP servers on the front end for cost and reliability issues(though the onsite support was handy, I've had to get a ton of system boards replaced from DL360G3s). My new systems from ASA are about $2300/unit cheaper(after discounts from both sides). I have 2 of them with a 3rd cold spare. they will be running in bridigng mode in active-active configuration. redundancy is handled by ospf in my core switches, makes some folks here feel better that if the cheap solution (vs checkpoint was the other option) falls over then the big expensive switches re-route the trafic to the other firewall. > any experience values which vendor to choose servers from? > and of course, where the newer hardware is fully supported > by openbsd? I prefer to use a vendor that actually has experience with openbsd. HP does not I think. when I bought redhat from them they basically sent my company's order to redhat and redhat sent me the CDs and stuff. maybe if you get a big enough order or support services it is different. There are quite a few small(er) resellers like ASA that have experience with openbsd. >> Avoid relying on cheap hardware to make your cost point. OpenBSD runs >> well on "real", modern servers. Managers at mid/large companies aren't >> going to want to hear about how you pulled machines out of the trash and >> now the business depends on them, even if they're 4x redundant. don't confuse cheap hardware with crap hardware. you can buy bottom of the barrel crap or pull it out of the trash, not to be confused with something that is of high quality but 30-50% cheaper then a tier 1 name brand provides. I thought this quote was cute, saw it on an email from one of the guys at the vendor: "We make a good (almost generic) machine from brand name parts, whereas Dell makes a good (brand name) machine from generic parts." I also like the smaller vendors because they tend to burn their systems in before sending them out. About 50% of my failures on the HP gear I have gotten have been detected in the first 20-30 minutes of use, basically just by installing the OS and rebooting. Once the systems are running for a while they tend to be fairly solid. note openbsd is really only on my firewalls, 85% of the rest of the systems are redhat enterprise 2.1/3, some win2k, a few HPUX, some debian(my preferred choice). nate
Re: Tuning gigabit bridging firewall for better performance
Tony Sarendal said: > Now about netstat on your openbsd box ? > netstat -I -w10 results: (netstat -I em1 -w1) em1 inem1 out total in total out packets errs packets errs colls packets errs packets errs colls 45461 023878 0 0138684 0 138680 0 0 48678 025173 0 0147717 0 147720 0 0 46782 02 0 0142449 0 142439 0 0 43420 022977 0 0132808 0 132806 0 0 43880 023109 0 0133964 0 133961 0 0 47932 024928 0 0145733 0 145731 0 0 48065 024938 0 0146007 0 146003 0 0 44539 022644 0 0134363 0 134365 0 0 I tried one more thing, changing the bridges so they all land on the same IRQs, I thought the dual and quads would have 1 irq per card but doesn't seem like the case: em0 at pci3 dev 4 function 0 "Intel PRO/1000MF QP (82546EB)" rev 0x01: irq 5, address: 00:04:23:45:d9:20 em1 at pci3 dev 4 function 1 "Intel PRO/1000MF QP (82546EB)" rev 0x01: irq 10, address: 00:04:23:45:d9:21 em2 at pci3 dev 6 function 0 "Intel PRO/1000MF QP (82546EB)" rev 0x01: irq 3, address: 00:04:23:45:d9:22 em3 at pci3 dev 6 function 1 "Intel PRO/1000MF QP (82546EB)" rev 0x01: irq 11, address: 00:04:23:45:d9:23 em4 at pci4 dev 2 function 0 "Intel PRO/1000MT DP (82546EB)" rev 0x03: irq 3, address: 00:30:48:74:e0:86 em5 at pci4 dev 2 function 1 "Intel PRO/1000MT DP (82546EB)" rev 0x03: irq 11, address: 00:30:48:74:e0:87 em6 at pci7 dev 1 function 0 "Intel PRO/1000MT DP (82546EB)" rev 0x03: irq 5, address: 00:04:23:b3:d6:8e em7 at pci7 dev 1 function 1 "Intel PRO/1000MT DP (82546EB)" rev 0x03: irq 10, address: 00:04:23:b3:d6:8f doing this had no noticable impact on throughput or cpu time spend servicing interrupts. thanks nate
Re: OpenBSD favorable HW
Johan P. Lindstrvm said: hello .. I used openbsd a few times a few years back only recently got into it again .. > The SCSI RAID issues with Adaptec > - What alternatives have you tried, good and bad and the ugly currently have 3 openbsd systems(all 3.7 as of tomorrow), that are running this card: INTEL ICP-VORTEX GDT8514RZ 128MB SCSI CTRL with 4 10k RPM 36GB disks in raid 10, sofar works ok, had to upgrade the firmware to keep it from hanging during the bios POST. my vendor tells me at least in their experience the ICP cards are the most stable under openbsd. > IRQ flooding on the NIC's > - dc, em and sk seems to be the way to go, but what to for quad port > cards? where to find one, brand names, model numbers, revisions I posted a question on this topic(my reason for joining the list), with the em driver. I get about 50% cpu usage servicing interrupts (~480Mbps of throughput peak) in any case these are the cards I have in my systems: INTEL PWLA8492MT 2-PORT COPPER GIG CTRL INTEL PWLA8494MT PRO/1000 MT Quad Port both are PCI-X and seem to work alright. > What I am looking for is HW mirroring of drives with hotswap for > webservers and quadport nic's I got my systems from www.asaservers.com (I just mail them for what I want, rather than use the website). pretty good service and prices, have ordered about 300 systems from them in the past few months. mostly running redhat enterprise. I don't have time to get into hardware these days so I like being able to tell them what I plan to use a system for and have them give a reccomendation then I can buy it and they can burn it in for me and send it. much more flexible than HP which I used to buy from. any small shop with openbsd experience should do fine though. if you want a copy of the full specs of my openbsd systems mail me off list and I'll try to get it for you(price is 6 months out of date) hope this helps nate
Max number of states in pf? (100k? 200k? 1M?)
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em"
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: Max number of states in pf? (100k? 200k? 1M?)
mistakenl did not send this to the list originally -- Ted Unangst said: > if it's 1k states per MB RAM, you're into trouble at 300k. the kernel only has so much space to play in. ok thats the kind of info I wanted to hear, so kernel space can go up to ~300MB ? is this a tunable paramter anywhere or is it hard coded? is this a "low memory" vs "high memory" thing? if so is there a good way to monitor "low memory" on openbsd? I tried doing some google searches and all I found was people running out of memory. e.g. on linux HighTotal: 3276224 kB HighFree: 543892 kB LowTotal: 814956 kB LowFree:612496 kB also one last Q - when you allocate memory for states in the pf config, say I allocate for 200k states does that allocation happen when the config is loaded or is it dynamic? Just wondering if I do exceed the limit should I expect it to misbehave immediately upon reload(even if it isn't holding that many states) or not until it actually hits the state limit. thanks nate
Re: Max number of states in pf? (100k? 200k? 1M?)
Ted Unangst said: > states are only allocated on demand. you could set the limit to a billion > with no problem until you actually start using too many states. the limit > is there to protect you from the firewall imploding. thanks for all the info, very useful! hopefully such info can get added to the docs at some point, since others have contacted me as well asking similar questions. thanks a lot(again) nate
Re: About C++ and licensing on OpenBSD
> 2. OpenBSD is known as a very anti-GPL project... so, what would be > the OpenBSD position on front of some LGPL code implemented > specifically for OpenBSD? Well Ernesto, OpenBSD doesn't really care what you do with your own code, regardless of what platform it is developed for. You can put it under the BML, which says you can do whatever you want with the code, providing you blow the writer of the code for each copy of their code you make, you can release it into the public domain, you can GPL it,or you can make it proprietary for all anyone cares. OpenBSD has a pretty open declaration of it's likes and dislikes, sufficed to say, your stuff would not get into base no matter how nice it was. But it's your code, noone else ever even needs to know it exists. Nate
Re: 4.6 postponed to Nov 1
Can anyone point me in the direction of getting the release ISO for those of us that have ordered CDs? Thanks to all of the obsd ninjas...you guys are awesome. I'm pushing at our next blood cycle for a $10k contribution. We'll find out at the end of the month. Thanks to Theo and everyone else that keep this project alive.
Re: 4.6 arriving
Why don't we just wait until the packages are officially available from the team? I'm pretty sure it will be before or on the documented release date. Exclusivity is quite contradictory to the project's objectives. On Oct 2, 2009, at 11:06 PM, Theo de Raadt wrote: But we won't open up the ftp servers today. I want a sizeable percentage of purchasers to receive their product first. Is setting a password on the new package hierarchy and including the password with the CD feasible or desired? I don't see any benefit to that.
