Date: Wed, 1 Aug 2001 20:32:16 +1000 (Australia/NSW) From: Darren Reed <avalon@coombs.anu.edu.au> To: rsimmons@wlcg.com (Rob Simmons) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfilter state tables Message-ID: <200108011032.UAA24848@cairo.anu.edu.au> In-Reply-To: <20010731151035.B11705-100000@mail.wlcg.com> from "Rob Simmons" at Jul 31, 2001 03:26:28 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants > in: > src/contrib/ipfilter/ip_state.h > src/sys/contrib/ipfilter/netinet/ip_state.h > > has changed and there was a line added to: > src/contrib/ipfilter/HISTORY > > "allow state/nat table sizes to be externally influenced" > > I had suggested that a sysctl knob, or a kernel config file knob be added > to control these. Does this mean that the knob exists? I looked in the > man page for sysctl and did not see anything, nor did I see anything in > LINT about it. > > Am I looking in the wrong place, or was that change just a preparation for > adding the knob? There's no knob at present because you really need to stop (ipf -D) ipfilter, then change the values via sysctl, then start it (ipf -E). It's safer to enforce this by requiring a reboot (at present). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108011032.UAA24848>