Subject: Re: Large ipf Rule Sets - Memory Usage and NetBSD 2.1_Stable
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: None <yancm@sdf.lonestar.org>
List: tech-net
Date: 03/26/2006 07:56:40
> On Fri, Mar 24, 2006 at 04:31:25PM -0500, yancm@sdf.lonestar.org wrote:
>>
>> Question 2: If I flush the rulesets, I do not seem to get this
>> kernel memory back. How can I determine if this is a NetBSD kernel
>> issue or an ipf issue?
>
> Does ipf -D get it back ?
>
No. AFAICT. Is there a better way to look at memory usage?
I'm using 'systat vmstat'...
Before ipf -D:
memory totals (in kB)
real virtual free
Active 45108 111896 9084
All 245296 312084 204948
After ipf -D:
memory totals (in kB)
real virtual free
Active 45196 111316 9028
All 245352 311472 205560
And as I try to reload my ruleset after ipf -E...
behavior is improved...post load I get:
memory totals (in kB)
real virtual free
Active 33748 107372 22068
All 232312 305936 211096
In the past this would have driven the active real memory to
a small number and then effectively ground to a halt.
Then after I reload my *nat* rules (it surprised me a little that
nat got flushed too...it's easy to think of ipnat and ipf as seperate
programs which they are not):
memory totals (in kB)
real virtual free
Active 43976 116792 7140
All 247240 320056 196976
If you give me suggestions to investigate, I'll be glad to
try stuff... Thanks!