HP-UX IPFilter Version 15.01 Administrator's Guide

Monitoring and Allocating Memory for DCA Data

IPFilter allocates entries in its state table for TCP connections that use a DCA rule. In addition,

IPFilter keeps a limit table that counts the state table entries for a DCA rule. The amount of

memory allocated for the state table is determined by the kernel tunable parameter fr_statemax.

In most deployments, the default value is sufficient, but if you set this value too low and IPFilter

is unable to create a state table entry for a TCP connection that uses a DCA rule, IPFilter will

allow packets for the connection to pass, even if the connection would exceed the limit in the

DCA rule.

The maximum counter reported by the ipfstat -s command reports the number of times

IPFilter attempted to create a state table entry but could not because the state table contained

the maximum number of entries.

In addition, the number of state table entries needed for TCP connections is affected by the kernel

tunable parameter fr_tcpidletimeout. For information about modifying these parameters,

see “fr_statemax” (page 138) and “fr_tcpidletimeout” (page 137).

58 Configuring and Loading Dynamic Connection Allocation (DCA) Rules