Too many dynamic rules
Ivan Voras
ivoras at freebsd.org
Tue Nov 13 14:33:15 UTC 2012
On 13/11/2012 03:23, Dan Nelson wrote:
> In the last episode (Nov 12), Darrel said:
>> Hello,
>>
>> Today I booted r242670 from the console and noticed an error. This
>> is one line from the end of dmesg:
>>
>> ipfw: ipfw_install_state: Too many dynamic rules
>>
>> The ruleset has always been dynamic and has no additional rules.
>> Search engines produced similar error messages, but no information
>> that seems to be the correct solution.
>>
>> I have a basically identical ruleset on fbsd91 and no error message.
>
> That means that the dynamic rules generated by the keep-state keyword hit
> the currently-confgured limit. If you get hit with a lot of random traffic
> that matches a keep-state rule, you'll get that message. It's not the rules
> themselves that cause this, it's the traffic.
>
> Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the
> two values. If count is near to dyn_max, you can simply raise dyn_max.
> It's a writeable sysctl. I set it to 65535 on my systems in
> /etc/sysctl.conf with no apparent ill effects.
I have huge problems with the default settings, and I beat them down
with the following:
net.inet.ip.fw.dyn_max=8192
net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_ack_lifetime=60
net.inet.tcp.fast_finwait2_recycle=1
I also add these, though I don't think they help this particular problem:
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.ecn.enable=1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20121113/dc4237cd/attachment.sig>
More information about the freebsd-current
mailing list