On 6/08/09 11:38 AM, Jeremy Harris wrote:
Darren Reed wrote:
Jens Elkner wrote:
Finally (in July 2009, i.e. almost 2 years later!!!) it turned out,
that the state table size is by far too small - see fr_statemax in
ipf -T list | awk '/fr_state/ { print $1, $7 }'
So the sun case engineer explained, if ipf can not insert an entry into
the state table, it just _continues_ evaluating the rules that
follow. I couldn't believe my eyes!!! What a crap!!!
Well, what would you have it do?
On "secure by default" grounds, drop the packet. And bump a counter.
And given that the failed state addition will cause the rule to
become a non-match, that is exactly what it does.
Darren
_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org