Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
You can display rule hit counts by using the ipfstat -ioh command. This command is useful
as a troubleshooting mechanism, along with ipfstat -sl and ipfstat-vL, which enables
connections to be examined in realtime. Lastly, logging can be used to analyze history for past
connections.
Limits and hit counts
Configuring rules with cumulative and noncumulative limits affects rule hit counts. IPFilter registers
rule hits differently for cumulative and noncumulative limits. A rule hit is usually registered only
once for noncumulative limits. This is because IPFilter creates a limit entry when the connection
matches a noncumulative keep limit rule and subsequent connections are controlled by that limit
entry.
For cumulative limits, each new connection registers a rule hit and increments the rule hit count
because cumulative limit connections require a rule walk for each new connection.
Monitoring and allocating memory for DCA data
IPFilter allocates entries in the state table for TCP connections that use a DCA rule. In addition,
IPFilter keeps a limit table that counts the state table entries for a DCA rule. The amount of memory
allocated for the state table is determined by the kernel tunable parameter fr_statemax. In most
deployments, the default value is sufficient, but if you set this value too low and IPFilter is unable
to create a state table entry for a TCP connection that uses a DCA rule, IPFilter will allow packets
for the connection to pass, even if the connection would exceed the limit in the DCA rule.
The maximum counter reported by the ipfstat -s command reports the number of times IPFilter
attempted to create a state table entry but could not because the state table contained the maximum
number of entries.
In addition, the number of state table entries needed for TCP connections is affected by the kernel
tunable parameter fr_tcpidletimeout. For information about modifying these parameters,
see Section (page 118) and Section (page 117).
Monitoring and allocating memory for DCA data 43