HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

C HP-UX IPFilter kernel tunable parameters

Overview

HP-UX IPFilter supports the following kernel tunable parameters:

Default valueDescriptionName

86,400 secondsThe timeout period for TCP entries in the state table.fr_tcpidletimeout

800,000 entriesSpecifies the maximum number of state table entries that can

be created.

fr_statemax

0If set to 0, IPFilter allows ICMPv6 Router Discovery and

Neighbor Discovery messages to bypass normal IPFilter rule

processing and always pass through the system.

ipf_icmp6_passthru

8192 bytesSize of the IPFilter logging buffer for /dev/ipl.ipl_buffer_sz

1 (enabled)If enabled (set to 1), IPFilter does not write identical log

records separately, but counts them as Nx, where N is the

number of times the log record occurs.

ipl_suppress

0 (disabled)If enabled (set to 1), IPFilter includes the entire packet when

the log body keywords are specified in a rule. Otherwise,

it includes only the first 128 bytes.

ipl_logall

1 (enabled)Used to enable or disable NAT functionality. Value can be

0 or 1. This is supported on 11.23 and 11.31. It is modified

using the kctune command.

ipnat_enable

120 seconcs

(enabled)

Used to set TCP state entry age at system level after

connection is closed. Value can be between 2-120 seconds.

fr_tcptimewait

This is supported only on 11.31. It is modified using the

kctune command.

120 secondsUsed to set TCP NAT entry age at system level after

connection is closed. Value can be between 2-120 seconds.

frnat_tcptimewait

This is supported only on 11.31. It is modified using the

kctune command.

Used to enable (set the value to 1) or disable (set the value

to zero) Large NAT feature on 11.31. For more information,

ipnat_largenat_enable

see “LARGE NAT support in IPFilter (HP-UX 11iV3 only)”

(page 50) section.

Used to modify the size of different NAT hash tables, when

ipnat_largenat_enable is enabled. For more

ipnat_nat_size

ipnat_nat_table_size

information, see “LARGE NAT support in IPFilter (HP-UX 11iV3

only)” (page 50) section.

ipnat_rdr_size

ipnat_hostmap_size

The following sections provide information about the remaining kernel tunable parameters and

how to use the kctune, kmtune, and ndd commands to configure these parameters.

fr_tcpidletimeout

The fr_tcpidletimeout is the timeout period for state table entries for TCP connections that

are established and idle. If the state table has an entry for an established TCP connection and no

packets match the state entry for that period, IPFilter deletes the entry.

Configuration utilityDefault valueRangeName

HP-UX 11i v1: kmtune86,400 seconds

(24 hours)

HP-UX 11i v1: 300 - 86,400

seconds

fr_tcpidletimeout

HP-UX 11i v2 and HP-UX 11i

v3: kctune

Overview 117