From rsimmons@wumpus.wlcg.com  Wed Jun  6 11:54:13 2001
Return-Path: <rsimmons@wumpus.wlcg.com>
Received: from wumpus.wlcg.com (wumpus.wlcg.com [209.9.101.248])
	by hub.freebsd.org (Postfix) with ESMTP id AFC0237B405
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  6 Jun 2001 11:54:12 -0700 (PDT)
	(envelope-from rsimmons@wumpus.wlcg.com)
Received: (from rsimmons@localhost)
	by wumpus.wlcg.com (8.11.3/8.11.3) id f56IpVE11245;
	Wed, 6 Jun 2001 14:51:31 -0400 (EDT)
	(envelope-from rsimmons)
Message-Id: <200106061851.f56IpVE11245@wumpus.wlcg.com>
Date: Wed, 6 Jun 2001 14:51:31 -0400 (EDT)
From: Rob Simmons <rsimmons@wumpus.wlcg.com>
Reply-To: rsimmons@wumpus.wlcg.com
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfilter state table limits are too small
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27912
>Category:       kern
>Synopsis:       ipfilter state table limits are too small
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 06 12:00:04 PDT 2001
>Closed-Date:    Wed Nov 14 14:05:38 MET 2001
>Last-Modified:  Wed May  7 04:20:10 PDT 2003
>Originator:     Rob Simmons
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD wumpus 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri May 11 09:42:50 EDT 2001 root@wumpus:/usr/obj/usr/src/sys/WUMPUS i386


	
>Description:
The ipfilter state table limits are too small.  Ideally there should be
a sysctl knob for changing these limits on the fly.  The second most ideal
solution is to have a kernel configuration file knob.  The last solution
which is less than ideal, but would work for most people is to apply the
patch supplied below.
>How-To-Repeat:
The state tables right now have the following values:
#define IPSTATE_SIZE    5737
#define IPSTATE_MAX     4013
>Fix:
*** /tmp/ip_state.h     Wed Jun  6 14:55:56 2001
--- sys/netinet/ip_state.h      Wed Jun  6 14:56:21 2001
***************
*** 18,25 ****
  # define      SIOCDELST       _IOW(r, 61, struct ipstate *)
  #endif
  
! #define       IPSTATE_SIZE    5737
! #define       IPSTATE_MAX     4013    /* Maximum number of states held */
  
  #define       PAIRS(s1,d1,s2,d2)      ((((s1) == (s2)) && ((d1) == (d2))) ||\
                                 (((s1) == (d2)) && ((d1) == (s2))))
--- 18,25 ----
  # define      SIOCDELST       _IOW(r, 61, struct ipstate *)
  #endif
  
! #define       IPSTATE_SIZE    64747
! #define       IPSTATE_MAX     45322   /* Maximum number of states held */
  
  #define       PAIRS(s1,d1,s2,d2)      ((((s1) == (s2)) && ((d1) == (d2))) ||\
                                 (((s1) == (d2)) && ((d1) == (s2))))
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Wed Jun 6 12:32:39 PDT 2001 
Responsible-Changed-Why:  
ipfilter is Darren's. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27912 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Mon Jul 30 15:59:23 PDT 2001 
State-Changed-Why:  
both of those #defines (IPSTATE_SIZE & IPSTATE_MAX) are now only #define'd 
in ip_state.h if they are previously undefined.  A kernel config with the 
lines "options IPSTATE_SIZE=100000" (for example) should cause it to be 
compiled with -DIPSTATE_SIZE=100000.  Maybe this, and other things, should 
find their way into "opt_ipfilter.h" ? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27912 

From: Rob Simmons <rsimmons@wlcg.com>
To: freebsd-gnats-submit@freebsd.org
Cc: darrenr@freebsd.org
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Tue, 13 Nov 2001 16:21:44 -0500 (EST)

 This solves the problem.  Thanks!
 
State-Changed-From-To: feedback->closed 
State-Changed-By: guido 
State-Changed-When: Wed Nov 14 14:05:38 MET 2001 
State-Changed-Why:  
User acknowledged the porblem was solved 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27912 

From: Mike Harding <mvh@ix.netcom.com>
To: freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com,
	darrenr@freebsd.org, guido@freebsd.org
Cc:  
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Thu,  1 May 2003 07:40:43 -0700 (PDT)

 The following patches to /usr/src/sys/conf/options and
 /sys/i386/conf/LINT should allow the ipfilter state size to be
 adjusted via a kernel 'option' line.  The NAT table sizes could be
 handled in a similar fashion - I'll submit changes if someone will
 actually commit them... it would be a great convenience to be able to
 set this in the kernel file, at least, instead of hacking the source
 code.
 
 netcom1# diff -u /usr/src/sys/i386/conf/LINT.orig LINT
 --- /usr/src/sys/i386/conf/LINT.orig	Thu May  1 07:29:14 2003
 +++ LINT	Thu May  1 07:30:37 2003
 @@ -608,6 +608,8 @@
  options 	IPFILTER		#ipfilter support
  options 	IPFILTER_LOG		#ipfilter logging
  options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 +options		IPSTATE_SIZE=64997	#create a larger ipfilter state table
 +options		IPSTATE_MAX=45499	#by setting hash size and max entries
  options 	IPSTEALTH		#support for stealth forwarding
  options 	TCPDEBUG
  
 netcom1# diff -u /usr/src/sys/conf/options.orig /usr/src/sys/conf/options
 --- /usr/src/sys/conf/options.orig	Thu May  1 07:34:12 2003
 +++ /usr/src/sys/conf/options	Thu May  1 07:35:23 2003
 @@ -271,6 +271,8 @@
  IPFILTER		opt_ipfilter.h
  IPFILTER_LOG		opt_ipfilter.h
  IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
 +IPSTATE_SIZE		opt_ipfilter.h
 +IPSTATE_MAX		opt_ipfilter.h
  IPFIREWALL		opt_ipfw.h
  IPFW2			opt_ipfw.h
  IPFIREWALL_VERBOSE	opt_ipfw.h
 
 - Mike H.

From: Guido van Rooij <guido@gvr.org>
To: Mike Harding <mvh@ix.netcom.com>
Cc: freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com,
	darrenr@freebsd.org
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Fri, 2 May 2003 09:10:04 +0200

 On Thu, May 01, 2003 at 07:40:43AM -0700, Mike Harding wrote:
 > 
 > The following patches to /usr/src/sys/conf/options and
 > /sys/i386/conf/LINT should allow the ipfilter state size to be
 > adjusted via a kernel 'option' line.  The NAT table sizes could be
 > handled in a similar fashion - I'll submit changes if someone will
 > actually commit them... it would be a great convenience to be able to
 > set this in the kernel file, at least, instead of hacking the source
 > code.
 
 Seems like a good idea to me. Even better would be IMO to make it
 possible to set them in a loader.conf way. Have you considered that?
 
 -Guido

From: Mike Harding <mvh@ix.netcom.com>
To: Guido van Rooij <guido@gvr.org>
Cc: freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com,
	darrenr@freebsd.org
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: 02 May 2003 06:46:59 -0700

 It's been mentioned by Darren - the 'options' setting seems so trivial
 to do that it would be worthwhile in the meantime.  I expect most people
 don't need to bump these numbers, but it's a pain to patch your kernel
 source every update if you do.  This could also be done with a read-only
 sysctl set on boot, or, as Darren mentions, you would have to stop and
 restart ipf if you changed the values.  I'd be willing to help with
 patches, but I was getting frustrated that you still have to patch the
 source every time right now.  Also, though, I don't think that these
 values will affect the kernel modules, as the code in
 /usr/src/sys/contrib/ipfilter/netinet/ip_state.c and ip_nat.c will only
 load the options file if not building an LKM.  Darren, is there a reason
 that options should not affect the LKM?  Sorry if this is a dumb
 question, I haven't really worked with LKMs before.
 
 On Fri, 2003-05-02 at 00:10, Guido van Rooij wrote:
 ...
 > 
 > Seems like a good idea to me. Even better would be IMO to make it
 > possible to set them in a loader.conf way. Have you considered that?
 > 
 > -Guido
 

From: Darren Reed <darrenr@reed.wattle.id.au>
To: Mike Harding <mvh@ix.netcom.com>
Cc: Guido van Rooij <guido@gvr.org>,
	freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Mon, 5 May 2003 22:13:27 +1000

 In some email I received from Mike Harding, sie wrote:
 > It's been mentioned by Darren - the 'options' setting seems so trivial
 > to do that it would be worthwhile in the meantime.  I expect most people
 > don't need to bump these numbers, but it's a pain to patch your kernel
 > source every update if you do.  This could also be done with a read-only
 > sysctl set on boot, or, as Darren mentions, you would have to stop and
 > restart ipf if you changed the values.  I'd be willing to help with
 > patches, but I was getting frustrated that you still have to patch the
 > source every time right now.  Also, though, I don't think that these
 > values will affect the kernel modules, as the code in
 > /usr/src/sys/contrib/ipfilter/netinet/ip_state.c and ip_nat.c will only
 > load the options file if not building an LKM.  Darren, is there a reason
 > that options should not affect the LKM?  Sorry if this is a dumb
 > question, I haven't really worked with LKMs before.
 
 It's got to do with how the LKM's are built.
 
 4.0 has these as variables that are sysctl'able - read while ipfilter is
 enabled, read-write while disabled.
 
 Darren

From: Darren Reed <darrenr@reed.wattle.id.au>
To: Mike Harding <mvh@ix.netcom.com>
Cc: freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com,
	guido@FreeBSD.org
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Mon, 05 May 2003 22:16:30 +1000

 Well, the list of external symbols that can work that way is:
 
 IPSTATE_SIZE
 IPSTATE_MAX
 NAT_SIZE
 RDR_SIZE
 HOSTMAP_SIZE
 NAT_TABLE_SZ
 
 Darren

From: Mike Harding <mvh@ix.netcom.com>
To: Darren Reed <darrenr@reed.wattle.id.au>
Cc: Guido van Rooij <guido@gvr.org>,
	freebsd-gnats-submit@FreeBSD.org, rsimmons@wumpus.wicg.com
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: 05 May 2003 07:47:23 -0700

 I assume that you mean 5.0+ for freebsd?  I am using 4.8 and don't see
 sysctls for these, but sysctls would be ideal, yes.  I am not finding
 any sysctl code in the cvs tree for these variables, however.  I did a
 'grep' on the entire cvs source tree (which should cover all releases)
 and did not see any references to setting fr_statemax via sysctl.  I do
 see other variables, however.  Am I missing something?
 
 On Mon, 2003-05-05 at 05:13, Darren Reed wrote:
 ...
 > 4.0 has these as variables that are sysctl'able - read while ipfilter is
 > enabled, read-write while disabled.
 > 
 > Darren
 

From: Darren Reed <darrenr@reed.wattle.id.au>
To: Mike Harding <mvh@ix.netcom.com>
Cc: Darren Reed <darrenr@reed.wattle.id.au>,
	Guido van Rooij <guido@gvr.org>, freebsd-gnats-submit@FreeBSD.org,
	rsimmons@wumpus.wicg.com
Subject: Re: kern/27912: ipfilter state table limits are too small
Date: Wed, 07 May 2003 21:12:13 +1000

 No, IPFilter 4.0
 
 In some email I received from Mike Harding, sie wrote:
 > I assume that you mean 5.0+ for freebsd?  I am using 4.8 and don't see
 > sysctls for these, but sysctls would be ideal, yes.  I am not finding
 > any sysctl code in the cvs tree for these variables, however.  I did a
 > 'grep' on the entire cvs source tree (which should cover all releases)
 > and did not see any references to setting fr_statemax via sysctl.  I do
 > see other variables, however.  Am I missing something?
 > 
 > On Mon, 2003-05-05 at 05:13, Darren Reed wrote:
 > ....
 > > 4.0 has these as variables that are sysctl'able - read while ipfilter is
 > > enabled, read-write while disabled.
 > > 
 > > Darren
 > 
 > 
 > 
>Unformatted:
