HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
NOTE:
• If HP-UX IPFilter is already running, you must restart the IPFilter to activate the new value.
• If the value of ipnat_largenat_enable is changed when IPFilter is running, the following
warning message displayed along with the current value in effect:
WARNING: Changes to ipnat_largenat_enable will take effect only
after restarting IPFilter. Value in effect is 0.
• Enabling ipnat_largenat_enable unlocks and allows the users to change the HASH
table sizes of HP-UX IPFilter. Tuning HASH table sizes does not change the existing IPFilter
functional behavior.
Tuning the HASH table sizes
This section discusses on HASH tables, their values, and how to tune them.
Based on your requirement, you can customize the HASH table tunables, when LARGE NAT is
enabled.
When LARGE NAT (ipnat_largenat_enable tunable) is enabled, you can tune up to four
different HASH tables using kctune. These HASH tables can be tuned to increase the number of
HASH buckets in each table. This helps in reducing the number of HASH collisions and may
increase performance.
Table 2 HASH table tunables
Using this tunable, you can tune the size of HASH table, which holds the NAT
"map" rules. For more information on how to write map rules, see “Mapping
outbound packets: map and portmap” (page 45) section.
ipnat_nat_size
The default value is 127 (minimum) and the maximum value is 2047.
For example:
$kctune ipnat_nat_size=1024
The new value becomes effective only when ipnat_largenat_enable is set to
1. You must restart the IPFilter for the new value to take effect.
If ipnat_nat_size tunable is set using kctune while IPFilter is running, the
following warning message is displayed along with the current value in effect.
WARNING:Changes to ipnat_nat_size will take effect only
after restarting IPFilter and if ipnat_largenat_enable is
enabled.Value in effect is 127.
NOTE: The number of NAT "map" rules actually loaded on the system can be
more than the value configured for ipnat_nat_size tunable. ipnat_nat_size
tunable increases the chances of a faster rule search.
Using this tunable, you can set the size of the HASH table, which holds the RDR
rules. For more information on how to write rdr rules, see “Redirecting inbound
packets: rdr” (page 46) section.
ipnat_rdr_size
The default value is 127 (minimum) and the maximum value is 2047.
For example:
$kctune ipnat_rdr_size=2047
The new value becomes effective only when ipnat_largenat_enable is set to
1. You must restart the IPFilter for new value to take effect.
If ipnat_rdr_size tunable is set using kctune while IPFilter is running, the
following warning message is displayed along with the current value in effect.
WARNING:Changes to ipnat_rdr_size will take effect only
after restarting IPFilter and if ipnat_largenat_enable is
enabled.Value in effect is 127.
LARGE NAT support in IPFilter (HP-UX 11iV3 only) 51