[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFilter 4.1.21
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2007-05-12 12:21:38
Message-ID: 4645B152.6070206 () reed ! wattle ! id ! au
[Download RAW message or body]


During the last week, I've been looking at the problem with the
state table filling and how it empties itself as I finally ran
into this problem locally.  Suffice to say I found two issues:
the first was that it wasn't empting like it should and the
second was a large number of orphans were being created.  I've
solved both issues :-)  The orphan problem is what amounts to
a state table entry leak when return-* is used or policy routing.
I'm not sure how this works with "block return-*", but it does.

Anyway, so that's that solve.

In getting there I've added a few things:
- there's another stats line in "ipfstat -s" to report the number
  of times the limit is reached on a rule (this was always being
  counted, just not reported)
- if you do "ipfstat -vio", lines that have "keep state" will now
  have "# count 0" appended or if there are a number of states active
  against that rule, that number will be there in place of 0.
- "ipfstat -s" (and "ipnat -s") now reports the population of the
  *TCP* state table, like this:

TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     0   110     1     0   365    93   129     0     2     0    92    16

- you can now use ipf to flush any particular state past 4 (ESTABLISHED)
  by doing "ipf -F5" to flush 5, etc.
- you can now use ipf to flush entries that have been idle for at least
  n seconds (where n > 30) by doing "ipf -Fn"

Hopefully this will all help make people's lives better :-)  And building
on this, ipf5 will be able to show the per-protocol count of states.

Oh, and it sould build cleanly on FreeBSD 4.4 - current.  I did build it
on 4.2 and 4.3, but there are build warnings with yacc, so I've discarded
those two versions (environmental issues in the O/S :-)

Anyway...I believe this is the end of this summary for 4.1.21.

Darren

http://coombs.anu.edu.au/~avalon/ip_fil4.1.21.tar.gz
http://coombs.anu.edu.au/~avalon/patch-4.1.21.gz
MD5 (ip_fil4.1.21.tar.gz) = 6632a1a6d6330f082ea959351c6b0268
MD5 (patch-4.1.21.gz) = d0fe53b46ddc8b862af7aab9d5c2300f

4.1.21 - Released 12 May 2007

show the number of states created against a rule with "-v" for ipfstat

fix build problems with FreeBSD

make it possible to flush the state table by idle time and TCP state

fix flushing out idle connections when state/NAT tables fill

print out the TCP state population with ipfstat/ipnat

stop creation of state table orphans via return-*/fastroute

fix printing out of rule groups - they now only appear once

4.1.20 - Released 30 April 2007





["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]