Bug 27912

Summary: ipfilter state table limits are too small
Product: Base System Reporter: Rob Simmons <rsimmons>
Component: kernAssignee: Darern Reed <darrenr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Rob Simmons 2001-06-06 20:00:04 UTC 
The ipfilter state table limits are too small.  Ideally there should be
a sysctl knob for changing these limits on the fly.  The second most ideal
solution is to have a kernel configuration file knob.  The last solution
which is less than ideal, but would work for most people is to apply the
patch supplied below.

How-To-Repeat: The state tables right now have the following values:
#define IPSTATE_SIZE    5737
#define IPSTATE_MAX     4013
Comment 1 dwmalone freebsd_committer freebsd_triage 2001-06-06 20:32:39 UTC 
Responsible Changed
From-To: freebsd-bugs->darrenr

ipfilter is Darren's.
Comment 2 Darern Reed freebsd_committer freebsd_triage 2001-07-30 23:59:23 UTC 
State Changed
From-To: open->feedback

both of those #defines (IPSTATE_SIZE & IPSTATE_MAX) are now only #define'd 
in ip_state.h if they are previously undefined.  A kernel config with the 
lines "options IPSTATE_SIZE=100000" (for example) should cause it to be 
compiled with -DIPSTATE_SIZE=100000.  Maybe this, and other things, should 
find their way into "opt_ipfilter.h" ?
Comment 3 rsimmons 2001-11-13 21:21:44 UTC 
This solves the problem.  Thanks!
Comment 4 guido freebsd_committer freebsd_triage 2001-11-14 13:05:38 UTC 
State Changed
From-To: feedback->closed

User acknowledged the porblem was solved
Comment 5 mvh 2003-05-01 15:40:43 UTC 
The following patches to /usr/src/sys/conf/options and
/sys/i386/conf/LINT should allow the ipfilter state size to be
adjusted via a kernel 'option' line.  The NAT table sizes could be
handled in a similar fashion - I'll submit changes if someone will
actually commit them... it would be a great convenience to be able to
set this in the kernel file, at least, instead of hacking the source
code.

netcom1# diff -u /usr/src/sys/i386/conf/LINT.orig LINT
--- /usr/src/sys/i386/conf/LINT.orig	Thu May  1 07:29:14 2003
+++ LINT	Thu May  1 07:30:37 2003
@@ -608,6 +608,8 @@
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
+options		IPSTATE_SIZE=64997	#create a larger ipfilter state table
+options		IPSTATE_MAX=45499	#by setting hash size and max entries
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 
netcom1# diff -u /usr/src/sys/conf/options.orig /usr/src/sys/conf/options
--- /usr/src/sys/conf/options.orig	Thu May  1 07:34:12 2003
+++ /usr/src/sys/conf/options	Thu May  1 07:35:23 2003
@@ -271,6 +271,8 @@
 IPFILTER		opt_ipfilter.h
 IPFILTER_LOG		opt_ipfilter.h
 IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
+IPSTATE_SIZE		opt_ipfilter.h
+IPSTATE_MAX		opt_ipfilter.h
 IPFIREWALL		opt_ipfw.h
 IPFW2			opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h

- Mike H.
Comment 6 guido 2003-05-02 08:10:04 UTC 
On Thu, May 01, 2003 at 07:40:43AM -0700, Mike Harding wrote:
> 
> The following patches to /usr/src/sys/conf/options and
> /sys/i386/conf/LINT should allow the ipfilter state size to be
> adjusted via a kernel 'option' line.  The NAT table sizes could be
> handled in a similar fashion - I'll submit changes if someone will
> actually commit them... it would be a great convenience to be able to
> set this in the kernel file, at least, instead of hacking the source
> code.

Seems like a good idea to me. Even better would be IMO to make it
possible to set them in a loader.conf way. Have you considered that?

-Guido
Comment 7 mvh 2003-05-02 14:46:59 UTC 
It's been mentioned by Darren - the 'options' setting seems so trivial
to do that it would be worthwhile in the meantime.  I expect most people
don't need to bump these numbers, but it's a pain to patch your kernel
source every update if you do.  This could also be done with a read-only
sysctl set on boot, or, as Darren mentions, you would have to stop and
restart ipf if you changed the values.  I'd be willing to help with
patches, but I was getting frustrated that you still have to patch the
source every time right now.  Also, though, I don't think that these
values will affect the kernel modules, as the code in
/usr/src/sys/contrib/ipfilter/netinet/ip_state.c and ip_nat.c will only
load the options file if not building an LKM.  Darren, is there a reason
that options should not affect the LKM?  Sorry if this is a dumb
question, I haven't really worked with LKMs before.

On Fri, 2003-05-02 at 00:10, Guido van Rooij wrote:
...
> 
> Seems like a good idea to me. Even better would be IMO to make it
> possible to set them in a loader.conf way. Have you considered that?
> 
> -Guido
Comment 8 Darren Reed 2003-05-05 13:13:27 UTC 
In some email I received from Mike Harding, sie wrote:
> It's been mentioned by Darren - the 'options' setting seems so trivial
> to do that it would be worthwhile in the meantime.  I expect most people
> don't need to bump these numbers, but it's a pain to patch your kernel
> source every update if you do.  This could also be done with a read-only
> sysctl set on boot, or, as Darren mentions, you would have to stop and
> restart ipf if you changed the values.  I'd be willing to help with
> patches, but I was getting frustrated that you still have to patch the
> source every time right now.  Also, though, I don't think that these
> values will affect the kernel modules, as the code in
> /usr/src/sys/contrib/ipfilter/netinet/ip_state.c and ip_nat.c will only
> load the options file if not building an LKM.  Darren, is there a reason
> that options should not affect the LKM?  Sorry if this is a dumb
> question, I haven't really worked with LKMs before.

It's got to do with how the LKM's are built.

4.0 has these as variables that are sysctl'able - read while ipfilter is
enabled, read-write while disabled.

Darren
Comment 9 Darren Reed 2003-05-05 13:16:30 UTC 
Well, the list of external symbols that can work that way is:

IPSTATE_SIZE
IPSTATE_MAX
NAT_SIZE
RDR_SIZE
HOSTMAP_SIZE
NAT_TABLE_SZ

Darren
Comment 10 mvh 2003-05-05 15:47:23 UTC 
I assume that you mean 5.0+ for freebsd?  I am using 4.8 and don't see
sysctls for these, but sysctls would be ideal, yes.  I am not finding
any sysctl code in the cvs tree for these variables, however.  I did a
'grep' on the entire cvs source tree (which should cover all releases)
and did not see any references to setting fr_statemax via sysctl.  I do
see other variables, however.  Am I missing something?

On Mon, 2003-05-05 at 05:13, Darren Reed wrote:
...
> 4.0 has these as variables that are sysctl'able - read while ipfilter is
> enabled, read-write while disabled.
> 
> Darren
Comment 11 Darren Reed 2003-05-07 12:12:13 UTC 
No, IPFilter 4.0

In some email I received from Mike Harding, sie wrote:
> I assume that you mean 5.0+ for freebsd?  I am using 4.8 and don't see
> sysctls for these, but sysctls would be ideal, yes.  I am not finding
> any sysctl code in the cvs tree for these variables, however.  I did a
> 'grep' on the entire cvs source tree (which should cover all releases)
> and did not see any references to setting fr_statemax via sysctl.  I do
> see other variables, however.  Am I missing something?
> 
> On Mon, 2003-05-05 at 05:13, Darren Reed wrote:
> ....
> > 4.0 has these as variables that are sysctl'able - read while ipfilter is
> > enabled, read-write while disabled.
> > 
> > Darren
> 
> 
>