IPfilter changes?
Martin Stiemerling
Martin.Stiemerling at ccrle.nec.de
Tue Apr 22 06:21:36 PDT 2003
[...]
> Flushing the state stable (small): ipf -Fs
> did help, but not always. I've issued this a couple
> of times, and suddenly it worked again.
Ah, ok, So you are running out of state table entries...
>
> Flushing all states: ipf -FS helped a lot. It works much longer
> than just flushing incomplete states.
> However, ipfstat -s always shows:
> [..]
> 0 no memory
> [..]
That's OK, i.e. no out of memory problems within IP Filter.
Would be nice to see the "State table bucket statistics" output from the
end of ipfstat -s.
Here are the limits for states compiled into IP FIlter (taken from
ip_state.h):
#ifndef IPSTATE_SIZE
# define IPSTATE_SIZE 5737
#endif
#ifndef IPSTATE_MAX
# define IPSTATE_MAX 4013 /* Maximum number of states held */
#endif
Martin
More information about the freebsd-net
mailing list