From owner-freebsd-security  Wed Aug  1  3:32:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 2C66B37B401
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Aug 2001 03:32:26 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id UAA24848;
	Wed, 1 Aug 2001 20:32:16 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200108011032.UAA24848@cairo.anu.edu.au>
Subject: Re: ipfilter state tables
To: rsimmons@wlcg.com (Rob Simmons)
Date: Wed, 1 Aug 2001 20:32:16 +1000 (Australia/NSW)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20010731151035.B11705-100000@mail.wlcg.com> from "Rob Simmons" at Jul 31, 2001 03:26:28 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Rob Simmons, sie said:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants
> in:
> src/contrib/ipfilter/ip_state.h
> src/sys/contrib/ipfilter/netinet/ip_state.h
> 
> has changed and there was a line added to:
> src/contrib/ipfilter/HISTORY
> 
> "allow state/nat table sizes to be externally influenced"
> 
> I had suggested that a sysctl knob, or a kernel config file knob be added
> to control these.  Does this mean that the knob exists?  I looked in the
> man page for sysctl and did not see anything, nor did I see anything in
> LINT about it.
> 
> Am I looking in the wrong place, or was that change just a preparation for
> adding the knob?

There's no knob at present because you really need to stop (ipf -D) ipfilter,
then change the values via sysctl, then start it (ipf -E).  It's safer to
enforce this by requiring a reboot (at present).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message