How to tune IPFilter kernel tunable parameters.

Applies to:

Solaris SPARC Operating System - Version 10 8/07 U4 to 10 9/10 U9 [Release 10.0]
Solaris x64/x86 Operating System - Version 10 8/07 U4 to 10 9/10 U9 [Release 10.0]
All Platforms

Goal

Since S10U4,one may use /usr/kernel/drv/ipf.conf [see driver.conf(4)] to tune IPfilter.
Here we provide a simple guide along with its explanation.

For more details, Please also refer to ipf(1M) and ipf.conf(4) and http://download.oracle.com/docs/cd/E19253-01/index.html

Fix

Please stop any other operation on ipf first.

(1) Print out all IPFilter kernel tunable parameters
$ipf -T list
fr_flags min 0 max 0xffffffff current 0
fr_active min 0 max 0 current 0
fr_control_forwarding min 0 max 0x1 current 0
fr_update_ipid min 0 max 0x1 current 0
fr_chksrc min 0 max 0x1 current 0
fr_minttl min 0 max 0x1 current 4
fr_icmpminfragmtu min 0 max 0x1 current 68
fr_pass min 0 max 0xffffffff current 134217730
ipf_loopback min 0 max 0x1 current sz = 0
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff current 240
fr_tcplastack min 0x1 max 0x7fffffff current 240
fr_tcptimeout min 0x1 max 0x7fffffff current 240
fr_tcpclosed min 0x1 max 0x7fffffff current 120
fr_tcphalfclosed min 0x1 max 0x7fffffff current 14400
fr_udptimeout min 0x1 max 0x7fffffff current 240
fr_udpacktimeout min 0x1 max 0x7fffffff current 24
fr_icmptimeout min 0x1 max 0x7fffffff current 120
fr_icmpacktimeout min 0x1 max 0x7fffffff current 12
fr_iptimeout min 0x1 max 0x7fffffff current 120
fr_statemax min 0x1 max 0x7fffffff current 4013
fr_statesize min 0x1 max 0x7fffffff current 5737
fr_state_lock min 0 max 0x1 current 0
fr_state_maxbucket min 0x1 max 0x7fffffff current 26
fr_state_maxbucket_reset min 0 max 0x1 current 1
ipstate_logging min 0 max 0x1 current 1
fr_nat_lock min 0 max 0x1 current 0
ipf_nattable_sz min 0x1 max 0x7fffffff current 2047
ipf_nattable_max min 0x1 max 0x7fffffff current 30000
ipf_natrules_sz min 0x1 max 0x7fffffff current 127
ipf_rdrrules_sz min 0x1 max 0x7fffffff current 127
ipf_hostmap_sz min 0x1 max 0x7fffffff current 2047
fr_nat_maxbucket min 0x1 max 0x7fffffff current 22
fr_nat_maxbucket_reset min 0 max 0x1 current 1
nat_logging min 0 max 0x1 current 1
fr_defnatage min 0x1 max 0x7fffffff current 1200
fr_defnatipage min 0x1 max 0x7fffffff current sz = 0
fr_defnaticmpage min 0x1 max 0x7fffffff current 6
ipfr_size min 0x1 max 0x7fffffff current 257
fr_ipfrttl min 0x1 max 0x7fffffff current 120
ipl_suppress min 0 max 0x1 current 1
ipl_buffer_sz min 0 max 0 current 0
ipl_logmax min 0 max 0x7fffffff current 7
ipl_logall min 0 max 0x1 current 0
ipl_logsize min 0 max 0x80000 current 8192
ippr_ftp_debug min 0 max 0xa current 0


(2) Display the current TCP idle timeout and then set it to 3600
# ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E

 (3)Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
$ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000

(4) how to make change permanent.
$ipf -T fr_pass,fr_chksrc,fr_chksrc=1
fr_pass min 0 max 0xffffffff current 134217730
fr_chksrc min 0 max 0x1 current 0

before change:
$cat /usr/kernel/drv/ipf.conf
#
#
name="ipf" parent="pseudo" instance=0;
after change:
$cat /usr/kernel/drv/ipf.conf
name="ipf" parent="pseudo" instance=0 tcpidletimeout=3600 fr_chksrc=1 fr_statesize=10001 fr_statemax=7000;

Special Consideration for fr_statemax,fr_statesize,fr_state_maxbucket:
SUN IPF implements hashtable with separate chaining. For each IPF state table,Sun addes few extensions:
*stack instances
*NAT for IPv6

state table size is controlled by:

fr_statemax :maximum number of states
fr_statesize :hashtable size
fr_state_maxbucket :chain length

fr_statesize and fr_state_maxbucket represent dimension of the state table.

Let's assume the number of cell= Wide * Height. i.e.:

the total number of cell = fr_statesize * fr_state_maxbucket

In above example:

the size of state table(the total number of its cells)

fr_statesize min 0x1 max 0x7fffffff current 5737
fr_state_maxbucket min 0x1 max 0x7fffffff current 26
fr_statesize * fr_state_maxbucket=5737*26=149162


Each cell represents roughly 1/2k (sizeof(ipstate_t) â?¡ 556)
So the memory used by the state table is:


1/2 * 149162 â?? 75kB
fr_statemax min 0x1 max 0x7fffffff current 4013

So only 4013 of 149162 entries will be used.

If you set fr_state_maxbucket=0, IPF will compute a default value from
fr_statesize as lb(fr_statesize)*2 (i.e:binary logarithm times two), i.e.: lb(5737)*2 in this example

Therefore fr_statemax has been introduced

Comments

Post a Comment

Popular posts from this blog

Understanding How ZFS Calculates Used Space

This document explains how ZFS calculates the amount of used space within a zpool and provides examples of how various ZFS features affect that calculation. DETAILS A ZFS storage pool is a logical collection of devices that provide space for datasets such as filesystems, snapshots and volumes. A zfs pool can be used as a filesystem, i.e. such as mounting/unmounting; to take snapshots that provides read-only (clones are writable copies of snapshots) copies of the filesystem taken in the past; to create volumes that can be accessed as a raw and a block device and for setting properties on datasets. Interaction of all these datasets and associated properties such as quotas, reservations, compression and deduplication (Solaris 11 only) play a role in how ZFS calculates space usage. Neither the du nor df command have been updated to account for ZFS file system space usage. When calculating zfs space usage, always use the following command. # zfs list -r -o space <pool_name...
Read more

Restart autosys agent

#/etc/init.d/uajm_agent stop CA-UAJM Agent stopped. #/etc/init.d/uajm_agent start CA-UAJM Agent started. Follow the below workaround if the autosys agent does not start. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1.Run the command to check the status of both process, auto_remote and csampmuxf # ps -ef|grep 'auto'     root 14712     1  0   Aug 27 ?        2:42 auto_remote     root 27652     1  0 13:00:22 ?        0:00 auto_remote     root 27782     1  0 13:00:40 ?        0:00 auto_remote     root 29066 24480  0 13:01:07 pts/7    0:00 grep auto 2.There should be two entries for /opt/CA/SharedComponents/Csam/SockAdapter/bin/csampmux status . If you see one entry then stop agent and check the autore...
Read more

How To Verify Remote System Controller (RSC) is Configured and Current on Sun Fire[TM] 280R/V480/V490/V880/V890 servers

Steps to Follow: How To Verify Remote System Controller(RSC) is Configured and Current 1.Check to see if the RSC software is already installed. # /usr/bin/pkginfo | grep SUNWrsc 2.If the software is installed the command should output the package name and info.   The version of the package installed in Solaris should match the version of firmware installed on the card.   `rscadm version` in Solaris will display the firmware version. 3.If the software is not installed the packages can be found on the supplemental CD that came with the Solaris Operating Environment. If you do not have the CD the software can be downloaded from MOS: RSC 2.2.2 is supported with Solaris 10, but you need to get this from a supplemental CD (for Solaris 9, since there is no supplemental CD for S10). The packages for Solaris 8 and 9 (and later) are both in the zip file. There are two options of the zip file, 32bit, and 64bit, but they both have the same checksums, so there are...
Read more