HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter and Serviceguard
Using HP-UX IPFilter with Serviceguard
Chapter 10146
entry from any TCP/IP packet, not just a SYN packet. A limit table entry
is created. Any new connections that exceed the connection limit are
rejected.
After the state table entry is created for a particular IP address
source/destination and TCP port source/destination 4-tuple, further
packets of this connection are processed in the state table entry. These
packets are not processed by the rules’ table.
For example, when Serviceguard detects that the primary IPFilter DCA
gateway has failed, the IP addresses of the primary systems are switched
to the standby DCA system. The standby system contains the same set of
configured rules as the primary system. Therefore, the standby system
can completely rebuild the TCP state tables and limit entries that were
previously on the primary system.
If a client has active connection to an IPFilter system and is attempting
to make new connections when Serviceguard fails over, the new
connections replace the existing connections in the limit table entry for
the client only if the established connections are not generating traffic.