On Thu, Nov 14, 2002 at 11:16:42AM +0100, Dries Schellekens wrote: > I think PR 2309 (pf crashes kernel when pool_get() exhausts memory) > is still open. So it's still possible to crash a firewall if you don't > have a state limit set. And apparantly it's possible to crash it even when > a fragment limit is set.
Yes, pool exhaustion still causes crashes. If you don't set frag/state limits (or set them too high), you'll get them. It's certainly possible to fix it, but not exactly trivial. The PR is still open, and art@ knows about the problem. Set low enough limits (there's no precise formula to calculate the numbers, but you can verify chosen limits are safe by sending traffic that creates fragment and stat entries, increasing the relevant timeouts if needed, during the test). Daniel
