Checking and tuning IPFilter state table size (Doc ID 1278750.1)

Last updated on APRIL 26, 2017

Applies to:

Solaris Operating System - Version 10 10/09 U8 and later
Information in this document applies to any platform.
How to check if state table size needs to be tuned for ipfilter?

Systems with very large number of network connections may require the state table in ipfilter to be tuned.
Check a running system to see statistics and usage of the state stable by monitoring ipfstat and ipfstat -s
ipfstat command may show packet state lost counter incrementing may indicate that fr_statesize requires tuning.

ipfstat -s will show statistics for packet/flow state information.
- non-zero maximum means the state table may be too small

ipfstat output example that shows "lost" incrementing:
packet state(in): kept 1316231 lost 1243
packet state(out): kept 1364416 lost 29

ipfstat -sl will show list of active state entries

to check fr_statemax and fr_statesize present values:
# ipf -T list
fr_statemax min 0x1 max 0x7fffffff current 12039
fr_statesize min 0x1 max 0x7fffffff current 17231

the values can be changed using ipf command line and be added to ipf.conf file

# ipf -D -T fr_statemax=14870,fr_statesize=21247 -E -T fr_statemax,fr_statesize

/usr/kernel/drv/ipf.conf example:
name="ipf" parent="pseudo" instance=0 fr_statemax=14870 fr_statesize=21247;

Notes: Memory is allocated for state and limit entries in chunks.
For state entries , memory is allocated by Increments of 1300.
The approximate size of of the state is 384 bytes.

note: fr_statesize has to be a prime number

CR 6900850 Limit for number of states in he state table is too low by default.
This CR is fixed in Solaris 10 ipf patch.
Confirm latest ipf patch is installed prior to tuning.
( 148330-07 -sparc , 148331-07 -x86 )

With the latest ipfilter patch, the fr_state tuning is sufficient for most Solaris environments.

# ipf -T list | grep fr_state
fr_statemax min 0x1 max 0x7fffffff current 50000
fr_statesize min 0x1 max 0x7fffffff current 5737




Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms