On 01.10.2004 00:30 -0700, Fred Wright wrote:
> Umm, in the source I have here (ip_nat.h from V3.4.33), the default
> for NAT_TABLE_SZ is 2047, or 16383 with the LARGE_NAT defaults.
> Note that neither of these is prime. :-)
Right, my mistake. ;)
> Note that with the current parameters, the 30000 NAT entries
> allowed would tie up about 7.5MB, which is a bit much on a 32M
> Soekris. There's some code to reduce the limit if it has trouble
> with allocations, but I suspect the system would be pretty sick by
> the time it actually reached that code. So this limit may actually
> be too *large* for the Soekris (and perhaps even WRAP) builds. The
> 4013 filter entries would use about 1MB.
What about 64 MB boxes? I mean, increasing IPSTATE_SIZE/IPSTATE_MAX
as well as NAT_TABLE_SIZE/NAT_TABLE_MAX alone to handle around ~50000
entries would only cost a few hundred KB extra. But since it's then
possible to go beyond ~4000 states, the 32 MB box could run out of
memory during very heavy use and crash/panic/whatever. If we can be
sure that it's no problem on a 64 MB box, I'd say let's go ahead. I
don't really care about the 32 MB boxes, and as long as they work
more or less (without webGUI firmware updates, and maybe with
problems when tens of thousands of connections are established), it's
OK with me. I don't want a few net4511s to limit the "recommended
setup" (which is 64+ MB). Also, a "one size fits all" value would
save another tuneable parameter in the config that many people
wouldn't understand. People with extreme high volume setups can still
compile their own kernel if they decide to use m0n0wall.
Memory usage on my net4501 is usually on the order of 33%, so that
should leave 25 megs for 50000 NAT and state table entries in the
extreme case (while it's doubtful anyway if a net4501 would be fast
enough to handle that kind of load). I guess I'll just ship the next
beta with a NAT/state max. of ~50000, and then people can test.