HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

C.3 fr_statemax

The fr_statemax parameter specifies the maximum number of entries in the IPFilter state table.

Configuration utilityDefault valueRangeName

HP-UX 11i v1: kmtune

HP-UX 11i v2 and HP-UX 11i v3:

kctune

800,000 entries4,000 - 1,600,00 entriesfr_statemax

IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic Connection

Allocation (keep limit) rules. IPFilter also maintains a limit table to count the state table entries

for DCA rules. IPFilter allocates memory for the state table in 500-Kbyte chunks, where each chunk

can store 1,300 entries (each state table entry is approximately 384 bytes).

CAUTION: HP-UX IPFilter keeps memory allocated for state and limit table entries in its private

free pool and does not return this allocated memory back to the kernel memory pool for general

use. Setting fr_statemax to a large value can affect system memory availability.

When the number of entries reaches fr_statemax, IPFilter checks if entries have exceeded their

idle lifetime and are eligible to be freed. The idle lifetimes are based on the protocol type and are

as follows:

ICMP: 60 seconds

TCP: the value of fr_tcpidletimeout (by default, 84,600 seconds)

UDP: 120 seconds

If IPFilter is unable to create a state table entry for a packet that matches a DCA rule, it allows the

packet to pass. The maximum counter reported by the ipfstat -s command reports the number

of times IPFilter attempted to create a state table entry but could not because the state table contained

the maximum number of entries.

C.4 ipf_icmp6_passthru

The parameter ipf_icmp6_passthru is described in Section 11.4 (page 77).

C.5 ipl_buffer_sz

The ipl_buffer_sz parameter specifies the size of the IPFilter logging buffer.

Configuration utilityDefault valueRangeName

HP-UX 11i v1 and HP-UX 11i v2: ndd

HP-UX 11i v3: kctune

8192 bytes1024 - 163840 bytesipl_buffer_sz

C.5.1 Displaying logging buffer statistics

On HP-UX 11i v3 systems, the ipfstat –B command displays the size of the log buffer, the

current number of bytes used, and the high-water mark (the maximum number of bytes used).

On HP-UX 11i v1 and HP-UX 11i v2 systems, use the following command to get the logging buffer

statistics:

ndd -get /dev/pfil cur_iplbuf_sz

The parameter cur_iplbuf_sz is a read-only parameter.

C.6 ipl_suppress

The ipl_suppress parameter specifies the IPFilter logging behavior for identical log records.

When this feature is enabled (the value is 1), IPFilter suppresses identical log records; instead of

does not writing duplicate records, it writes the record and N where N is the number of times the

112 HP-UX IPFilter kernel tunable parameters