From owner-freebsd-security Wed Aug 1 6:38:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 5667D37B401 for ; Wed, 1 Aug 2001 06:38:28 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f71DbB041692; Wed, 1 Aug 2001 09:37:11 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 1 Aug 2001 09:37:01 -0400 (EDT) From: Rob Simmons To: Darren Reed Cc: Subject: Re: ipfilter state tables In-Reply-To: <200108011032.UAA24848@cairo.anu.edu.au> Message-ID: <20010801093420.K41564-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Maybe adding a kernel option: options IPSTATE_SIZE xxxxx options IPSTATE_MAX xxxxx and apropriate options for IPNAT constants? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 1 Aug 2001, Darren Reed wrote: > In some mail from Rob Simmons, sie said: > > > > I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants > > in: > > src/contrib/ipfilter/ip_state.h > > src/sys/contrib/ipfilter/netinet/ip_state.h > > > > has changed and there was a line added to: > > src/contrib/ipfilter/HISTORY > > > > "allow state/nat table sizes to be externally influenced" > > > > I had suggested that a sysctl knob, or a kernel config file knob be added > > to control these. Does this mean that the knob exists? I looked in the > > man page for sysctl and did not see anything, nor did I see anything in > > LINT about it. > > > > Am I looking in the wrong place, or was that change just a preparation for > > adding the knob? > > There's no knob at present because you really need to stop (ipf -D) ipfilter, > then change the values via sysctl, then start it (ipf -E). It's safer to > enforce this by requiring a reboot (at present). > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aAYHv8Bofna59hYRA2U4AJ0ZrmDk+ONDwZ/+VDR1bmRvtPPpjACaArx/ 3sPtErdF7hjSrEopIXxqthg= =BUQI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message