Manualshelf

HP-UX IPFilter Version 17 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
12345678910
2 New Features in this Release
IMPORTANT: The following new features are supported on HP-UX 11i v3 only.
2.1 Rate-Based Filtering
This feature controls packet flow by defining the rate (packets per second) of matching packets
passing through a machine. This feature is useful in case of a SYN/ACK flood.
For example, to allow 10 outbound packets per second from any source address to the destination
address 10.1.1.42:
pass out from any to 10.1.1.42/32 pps 10
2.2 Address Pooling
Address pools establish a single reference that is used to name a group of address/netmask pairs.
Address pools:
Facilitate management of large groups of addresses
Reduce time to match IP addresses with rules
Improve performance
2.2.1 The ippool Utility
The ippool utility manages information stored in the IP pools subsystem of IPFilter.
Configuration file information can be parsed and loaded into the kernel. Configured pools can
be removed, changed, or inspected. For more information, see the ippool(1M) and ippool(4)
manpages.
2.2.2 The ippool.conf File
The IP pool configuration file defines a single object that contains a reference to multiple IP
address/netmask pairs. A pool can consist of a mixture of netmask sizes from 0 to 32.
NOTE: Only IPv4 addressing is supported.
The IP pool configuration file provides the table command to efficiently match IP addresses
with rules. The table command defines a lookup table that provides a single filter rule reference
to multiple targets.
The following storage formats are provided:
The hash table format is used with objects that contain the same netmask or a few different
sized netmasks of non-overlapping address space.
The tree structure supports exceptions to a covering mask. Searching is also supported.
IMPORTANT: Pools defined in the configuration file must have an associated role. The only
supported role is ipf.
For more information and examples, see the ippool(4) manpage.
2.3 State Aging
The system-defined state entry timeout values are:
ICMP—60 seconds
UDP—120 seconds
TCP—120 seconds
2.1 Rate-Based Filtering 9