Once again I have been blind sided by yet another conservative out-of-the-box setting. IPFilter is tuned way too conservative with it’s state table size.

Here is how you can tell if your hitting any issues, run ipfstat and check for lost packets.


victori@opensolaris:~# ipfstat | grep lost
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 798        lost 100
packet state(out):      kept 612        lost 234

Notice that the in and out lost state lines have a non-zero value. This means IPFilter has been dropping client connections, bummer.

The default settings are quite conservative.


victori@opensolaris:~# ipf -T list | grep fr_state
fr_statemax min 0x1 max 0x7fffffff current 4096
fr_statesize min 0x1 max 0x7fffffff current 5002

You need to shutdown IPFilter and apply larger table size limits.


victori@opensolaris:~# svcadm disable ipfilter
victori@opensolaris:~# /usr/sbin/ipf -T fr_statemax=18963,fr_statesize=27091

Lets confirm that it works.


victori@opensolaris:~# ipf -T list | grep fr_state
fr_statemax min 0x1 max 0x7fffffff current 18963
fr_statesize min 0x1 max 0x7fffffff current 27091

Awesome, now all we need to do is enable IPfilter and no more lost packets.


victori@opensolaris:~# svcadm enable ipfilter

To make this persistent across reboots edit ipf.conf


victori@opensolaris:~# vi /usr/kernel/drv/ipf.conf
name="ipf" parent="pseudo" instance=0 fr_statemax=18963 fr_statesize=27091;

Then update the contents


victori@opensolaris:~# devfsadm -i ipf

This can be applied to any OS that uses IPFilter.