On 3/27/06, Chris Buechler <cbuechler at gmail dot com> wrote:
> those of you on the commit messages list saw I committed this today:
> before I build this on the live site, any comments, feedback, or
> suggested changes? Just want to make sure I'm not grossly
> misrepresenting anything.
I found this, hope its helpful
IP Filter FAQ
# How do I enlarge the state table? What else should be tweaked for
Edit ipf_state.h and look for the lines:
# define IPSTATE_SIZE 5737
# define IPSTATE_MAX 4013 /* Maximum number of states held */
IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE and both numbers
should be prime. The exact values you need depend highly upon the
situation, but do NOT go crazy. Numbers in the 6 digits are very
excessive. If you are having trouble with your state tables check out
section IV-12 first.
For very high-traffic installations this will need to be tweaked.
A good number to start with is 10 connections per workstation and
adjust from there. Other things that might need tweaking depending on
your situation is NMBCLUSTERS and NAT_SIZE.
Just as a guide, here's some of the other #defines and what they mean:
NAT_SIZE - Size of the hash table for NAT rules
RDR_SIZE - Size of the hash table for RDR rules
NAT_TABLE_SZ - Size of the hash table which holds all active MAP/RDR entries
HOSTMAP_SIZE - Table for holding the mapping of internal hosts to
external IPs for consistency purposes when talking to a specific