HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Dynamic Connection Allocation
keep limit Rules and Rule Hits
Chapter 354
keep limit Rules and Rule Hits
For each new packet, every time there is a rule match, the hit count for
that rule is incremented. The rule does not have to be the final matching
rule. Some examples are:
• A rule is a matching, non-quick rule. If another rule match is later
found on the list, both hit counts are incremented.
• A rule is a matching group head. If a matching rule is found within
the group, both hit counts are incremented.
Rule hit count can be displayed using ipfstat -ioh. This command is
useful as a troubleshooting mechanism, along with ipfstat -sl and
ipfstat-vL, which allow connections to be examined in realtime. And
lastly, logging can be used to analyze history for past connections.
The rule hits are registered differently for cumulative and
non-cumulative limits. A rule hit is usually registered only once for
non-cumulative limits because, when the connection matches a
non-cumulative keep limit rule, a limit entry is created and subsequent
connections are controlled by that limit entry.
For cumulative limits, each new connection registers a rule hit and
displays in the rule hit count because cumulative limit connections
require a rule walk for each new connection.