On  6/08/09 11:38 AM, Jeremy Harris wrote:
Darren Reed wrote:
Jens Elkner wrote:
Finally (in July 2009, i.e. almost 2 years later!!!) it turned out,
that the state table size is by far too small -  see fr_statemax in
ipf -T list | awk '/fr_state/ { print $1, $7 }'

So the sun case engineer explained, if ipf can not insert an entry into
the state table, it just _continues_ evaluating the rules that follow. I couldn't believe my eyes!!! What a crap!!!

Well, what would you have it do?

On "secure by default" grounds, drop the packet.  And bump a counter.

And given that the failed state addition will cause the rule to
become a non-match, that is exactly what it does.

Darren

_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org

Reply via email to