From owner-freebsd-security  Mon Apr 16 12:57:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4])
	by hub.freebsd.org (Postfix) with ESMTP id 1BE2B37B43E
	for <freebsd-security@freebsd.org>; Mon, 16 Apr 2001 12:57:37 -0700 (PDT)
	(envelope-from rsimmons@wlcg.com)
Received: from localhost (rsimmons@localhost)
	by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3GJw1Z56398
	for <freebsd-security@freebsd.org>; Mon, 16 Apr 2001 15:58:01 -0400 (EDT)
	(envelope-from rsimmons@wlcg.com)
Date: Mon, 16 Apr 2001 15:57:57 -0400 (EDT)
From: Rob Simmons <rsimmons@wlcg.com>
To: <freebsd-security@freebsd.org>
Subject: ipfilter state tables
Message-ID: <Pine.BSF.4.33.0104161551110.55162-100000@mail.wlcg.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

The total number of states that ipfilter can keep is goverened by these
two constants in src/sys/netinet/ip_state.h and
/usr/src/contrib/ipfilter/ip_state.h:
IPSTATE_SIZE
IPSTATE_MAX

They are set to 5737, and 4013 which is ok for average use, but causes
problems for higher traffic firewalls.  Could these two have a kernel
config file knob?  This would make life easier :)

Robert Simmons
Systems Administrator
http://www.wlcg.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6207Jv8Bofna59hYRA+7JAJ0dO+b+YmGlyJ9Gk2VgcTvi/R2ljgCfa6re
wg6WWa/swdM1JTCSC2XZyIw=
=idMY
-----END PGP SIGNATURE-----



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message