[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] seeking feedback on new FAQ entry
 Date:  Tue, 28 Mar 2006 12:15:11 +0500
On 3/27/06, Chris Buechler <cbuechler at gmail dot com> wrote:
> those of you on the commit messages list saw I committed this today:
> http://doc.m0n0.ch/~cmb/test/handbook/faq-state-table-size.html
>
> before I build this on the live site, any comments, feedback, or
> suggested changes?  Just want to make sure I'm not grossly
> misrepresenting anything.
>
> thanks
> -Chris
>

I found this, hope its helpful

sai

----------------------
IP Filter FAQ
http://www.phildev.net/ipf/IPFques.html#ques25

# How do I enlarge the state table? What else should be tweaked for
high-stress installs?

    Edit ipf_state.h and look for the lines:


    #ifndef IPSTATE_SIZE
    # define        IPSTATE_SIZE    5737
    #endif
    #ifndef IPSTATE_MAX
    # define        IPSTATE_MAX     4013    /* Maximum number of states held */
    #endif


    IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE and both numbers
should be prime. The exact values you need depend highly upon the
situation, but do NOT go crazy. Numbers in the 6 digits are very
excessive. If you are having trouble with your state tables check out
section IV-12 first.

    For very high-traffic installations this will need to be tweaked.
A good number to start with is 10 connections per workstation and
adjust from there. Other things that might need tweaking depending on
your situation is NMBCLUSTERS and NAT_SIZE.

    Just as a guide, here's some of the other #defines and what they mean:
    NAT_SIZE - Size of the hash table for NAT rules
    RDR_SIZE - Size of the hash table for RDR rules
    NAT_TABLE_SZ - Size of the hash table which holds all active MAP/RDR entries
    HOSTMAP_SIZE - Table for holding the mapping of internal hosts to
external IPs for consistency purposes when talking to a specific
remote host