HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

Configuration utilityDefault valueRangeName

HP-UX 11i v2 and HP-UX 11i v3:

240 - 86,400 seconds

fr_statemax

The fr_statemax parameter specifies the maximum number of entries in the IPFilter state table.

Configuration utilityDefault valueRangeName

HP-UX 11i v1: kmtune800,000 entries4,000 - 1,600,00 entriesfr_statemax

HP-UX 11i v2 and HP-UX 11i v3:

kctune

IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic Connection

Allocation (keep limit) rules. IPFilter also maintains a limit table to count the state table entries

for DCA rules. IPFilter allocates memory for the state table in 500-Kbyte chunks, where each chunk

can store 1,300 entries (each state table entry is approximately 384 bytes).

CAUTION: HP-UX IPFilter keeps memory allocated for state and limit table entries in the private

free pool and does not return this allocated memory back to the kernel memory pool for general

use. Setting fr_statemax to a large value can affect system memory availability.

When the number of entries reaches fr_statemax, IPFilter verifies if entries have exceeded idle

lifetime and are eligible to be freed. The idle lifetimes are based on the protocol type and are as

follows:

ICMP: 60 seconds

TCP: the value of fr_tcpidletimeout (by default, 84,600 seconds)

UDP: 120 seconds

If IPFilter is unable to create a state table entry for a packet that matches a DCA rule, it allows the

packet to pass. The maximum counter reported by the ipfstat -s command reports the number

of times IPFilter attempted to create a state table entry but could not because the state table contained

the maximum number of entries.

ipf_icmp6_passthru

The parameter ipf_icmp6_passthru is described in Section (page 83).

ipl_buffer_sz

The ipl_buffer_sz parameter specifies the size of the IPFilter logging buffer.

Configuration utilityDefault valueRangeName

HP-UX 11i v1 and HP-UX 11i v2: ndd8192 bytes1024 - 163840 bytesipl_buffer_sz

HP-UX 11i v3: kctune

Displaying logging buffer statistics

On HP-UX 11i v3 systems, the ipfstat –B command displays the size of the log buffer, the

current number of bytes used, and the high-water mark (the maximum number of bytes used).

On HP-UX 11i v1 and HP-UX 11i v2 systems, use the following command to get the logging buffer

statistics:

ndd -get /dev/pfil cur_iplbuf_sz

The parameter cur_iplbuf_sz is a read-only parameter.

118 HP-UX IPFilter kernel tunable parameters