Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
191192193194195196197198199200
Performance Guidelines
Rule Loading
Appendix C 185
Rule Loading
When you load a large number of new rules to a ruleset, the system must
search existing rulesets for duplicate rules. This slows down the loading
process.
For example, if there is no group rule and there are 5000 rules on the
system, the system searches through all 5000 rules to be sure there is no
duplication before adding each new rule.
HP-UX IPFilter searches for duplicate rules by group. To speed the
search process when loading rules, divide the rules into groups. See
“Improving Performance with Rule Groups” on page 72 for information
on rule groups. HP recommends configuring a maximum of 5000 rules
per group and 5000 groups per system.
You do not need to flush and reload an entire ruleset to modify some
rules within the ruleset. Adding rules that already exist slows
processing. If you are modifying a large ruleset, follow these steps:
1. Find the difference between the new rule set and the current rule set
using the diff command.
2. Delete the old rules using the ipf -rf command.
3. If your ruleset contains keep limit rules, modify the rules with the
ipf -f command.
4. Add the new rules using the ipf -f command. If a rule must be in a
specific place in the ruleset, specify the rule number using
@<
rule_number
> before the rule.
You can also modify an inactive ruleset and then switch the inactive
ruleset for the active ruleset with the ipf -s command.