Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
71727374757677787980
Dynamic Connection Allocation
DCA Variables
Chapter 360
When the number of states created reaches the fr_statemax limit,
HP-UX IPFilter will try to free up state entries and increments the
maximum counter. If HP-UX IPFilter fails to free up state entries, then no
more state entries are created. The maximum counter is incremented each
time a state entry is to be created but the state table is full. If the state
table is full, the connection is let through but no state entry is created.
This is true even if DCA mode is enabled.
The counter No Memory indicates that the system is out of memory and
no state entry can be created.
Limits of fr_limitmax
The fr_limitmax tunable has been deprecated and no longer used to
control the number of limit entries that can be created on the system.
fr_tcpidletimeout
The purpose of fr_tcpidletimeout is to determine the timeout period of
states kept on TCP connections that are idle.
The default timeout value is 86,400 seconds. The minimum value that
can be set for fr_tcpidletimeout is 300 seconds. For information on
changing the fr_tcpidletimeout variable, see the following section,
“Configuring Variables”.
Configuring Variables
Use the kmtune command to query and configure DCA variables. For new
values to take effect, you must unload, reconfigure, and reload the ipf
module. For example, to set fr_statemax to 6,000:
1. Unload the ipf module.
/sbin/init.d/ipfboot stop
2. Set the new value for fr_statemax.
kmtune -s fr_statemax=6000
3. Configure the module for the new value using the following
commands:
cd /stand/ipf
config -M ipf -u
4. Reload the ipf module.
/sbin/init.d/ipfboot start