HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

131

132

133

134

135

136

137

138

139

140

fr_statemax

The fr_statemax parameter specifies the maximum number of entries in the IPFilter state

table.

Configuration UtilityDefault ValueRangeName

HP-UX 11i v1: kmtune

HP-UX 11i v2 and HP-UX 11i v3:

kctune

800,000 entries4,000 - 1,600,00 entries

fr_statemax

IPFilter allocates state table entries for packets using stateful (keep state) and Dynamic

Connection Allocation (keep limit) rules. IPFilter also maintains a limit table to count the

state table entries for DCA rules. IPFilter allocates memory for the state table in 500-Kbyte chunks,

where each chunk can store 1,300 entries (each state table entry is approximately 384 bytes).

CAUTION: HP-UX IPFilter keeps memory allocated for state and limit table entries in its private

free pool and does not return this allocated memory back to the kernel memory pool for general

use. Setting fr_statemax to a large value can affect system memory availability.

When the number of entries reaches fr_statemax, IPFilter checks if entries have exceeded their

idle lifetime and are eligible to be freed. The idle lifetimes are based on the protocol type and

are as follows:

ICMP: 60 seconds

TCP: the value of fr_tcpidletimeout (by default, 84,600 seconds)

UDP: 120 seconds

If IPFilter is unable to create a state table entry for a packet that matches a DCA rule, it allows

the packet to pass. The maximum counter reported by the ipfstat -s command reports the

number of times IPFilter attempted to create a state table entry but could not because the state

table contained the maximum number of entries.

ipf_icmp6_passthru

The parameter ipf_icmp6_passthru is described in “Controlling ICMPv6 Router Discovery

and Neighbor Discovery Messages” (page 97).

ipl_buffer_sz

The ipl_buffer_sz parameter specifies the size of the IPFilter logging buffer.

Configuration UtilityDefault ValueRangeName

HP-UX 11i v1 and HP-UX 11i v2: ndd

HP-UX 11i v3: kctune

8192 bytes1024 - 163840 bytes

ipl_buffer_sz

Displaying Logging Buffer Statistics

On HP-UX 11i v3 systems, the ipfstat –B command displays the size of the log buffer, the

current number of bytes used, and the high-water mark (the maximum number of bytes used).

On HP-UX 11i v1 and HP-UX 11i v2 systems, use the following command to get the logging

buffer statistics:

ndd -get /dev/pfil cur_iplbuf_sz

The parameter cur_iplbuf_sz is a read-only parameter.

134 HP-UX IPFilter Kernel Tunable Parameters