Too many dynamic rules
Dan Nelson
dnelson at allantgroup.com
Tue Nov 13 02:27:10 UTC 2012
In the last episode (Nov 12), Darrel said:
> Hello,
>
> Today I booted r242670 from the console and noticed an error. This
> is one line from the end of dmesg:
>
> ipfw: ipfw_install_state: Too many dynamic rules
>
> The ruleset has always been dynamic and has no additional rules.
> Search engines produced similar error messages, but no information
> that seems to be the correct solution.
>
> I have a basically identical ruleset on fbsd91 and no error message.
That means that the dynamic rules generated by the keep-state keyword hit
the currently-confgured limit. If you get hit with a lot of random traffic
that matches a keep-state rule, you'll get that message. It's not the rules
themselves that cause this, it's the traffic.
Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the
two values. If count is near to dyn_max, you can simply raise dyn_max.
It's a writeable sysctl. I set it to 65535 on my systems in
/etc/sysctl.conf with no apparent ill effects.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-current
mailing list