Applies to:
Solaris SPARC Operating System - Version 10 8/07 U4 to 10 9/10 U9 [Release 10.0]Solaris x64/x86 Operating System - Version 10 8/07 U4 to 10 9/10 U9 [Release 10.0]
All Platforms
Goal
Since S10U4,one may use /usr/kernel/drv/ipf.conf [see driver.conf(4)] to tune IPfilter.Here we provide a simple guide along with its explanation.
For more details, Please also refer to ipf(1M) and ipf.conf(4) and http://download.oracle.com/docs/cd/E19253-01/index.html
Fix
Please stop any other operation on ipf first.(1) Print out all IPFilter kernel tunable parameters
$ipf -T list
fr_flags min 0 max 0xffffffff current 0
fr_active min 0 max 0 current 0
fr_control_forwarding min 0 max 0x1 current 0
fr_update_ipid min 0 max 0x1 current 0
fr_chksrc min 0 max 0x1 current 0
fr_minttl min 0 max 0x1 current 4
fr_icmpminfragmtu min 0 max 0x1 current 68
fr_pass min 0 max 0xffffffff current 134217730
ipf_loopback min 0 max 0x1 current sz = 0
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff current 240
fr_tcplastack min 0x1 max 0x7fffffff current 240
fr_tcptimeout min 0x1 max 0x7fffffff current 240
fr_tcpclosed min 0x1 max 0x7fffffff current 120
fr_tcphalfclosed min 0x1 max 0x7fffffff current 14400
fr_udptimeout min 0x1 max 0x7fffffff current 240
fr_udpacktimeout min 0x1 max 0x7fffffff current 24
fr_icmptimeout min 0x1 max 0x7fffffff current 120
fr_icmpacktimeout min 0x1 max 0x7fffffff current 12
fr_iptimeout min 0x1 max 0x7fffffff current 120
fr_statemax min 0x1 max 0x7fffffff current 4013
fr_statesize min 0x1 max 0x7fffffff current 5737
fr_state_lock min 0 max 0x1 current 0
fr_state_maxbucket min 0x1 max 0x7fffffff current 26
fr_state_maxbucket_reset min 0 max 0x1 current 1
ipstate_logging min 0 max 0x1 current 1
fr_nat_lock min 0 max 0x1 current 0
ipf_nattable_sz min 0x1 max 0x7fffffff current 2047
ipf_nattable_max min 0x1 max 0x7fffffff current 30000
ipf_natrules_sz min 0x1 max 0x7fffffff current 127
ipf_rdrrules_sz min 0x1 max 0x7fffffff current 127
ipf_hostmap_sz min 0x1 max 0x7fffffff current 2047
fr_nat_maxbucket min 0x1 max 0x7fffffff current 22
fr_nat_maxbucket_reset min 0 max 0x1 current 1
nat_logging min 0 max 0x1 current 1
fr_defnatage min 0x1 max 0x7fffffff current 1200
fr_defnatipage min 0x1 max 0x7fffffff current sz = 0
fr_defnaticmpage min 0x1 max 0x7fffffff current 6
ipfr_size min 0x1 max 0x7fffffff current 257
fr_ipfrttl min 0x1 max 0x7fffffff current 120
ipl_suppress min 0 max 0x1 current 1
ipl_buffer_sz min 0 max 0 current 0
ipl_logmax min 0 max 0x7fffffff current 7
ipl_logall min 0 max 0x1 current 0
ipl_logsize min 0 max 0x80000 current 8192
ippr_ftp_debug min 0 max 0xa current 0(2) Display the current TCP idle timeout and then set it to 3600
# ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E(3)Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
$ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000(4) how to make change permanent.
$ipf -T fr_pass,fr_chksrc,fr_chksrc=1
fr_pass min 0 max 0xffffffff current 134217730
fr_chksrc min 0 max 0x1 current 0before change:
$cat /usr/kernel/drv/ipf.conf
#
#
name="ipf" parent="pseudo" instance=0;$cat /usr/kernel/drv/ipf.conf
name="ipf" parent="pseudo" instance=0 tcpidletimeout=3600 fr_chksrc=1 fr_statesize=10001 fr_statemax=7000;Special Consideration for fr_statemax,fr_statesize,fr_state_maxbucket:
SUN IPF implements hashtable with separate chaining. For each IPF state table,Sun addes few extensions:
*stack instances
*NAT for IPv6
state table size is controlled by:
fr_statemax :maximum number of states
fr_statesize :hashtable size
fr_state_maxbucket :chain length
fr_statesize and fr_state_maxbucket represent dimension of the state table.
Let's assume the number of cell= Wide * Height. i.e.:
the total number of cell = fr_statesize * fr_state_maxbucket
In above example:
the size of state table(the total number of its cells)
fr_statesize min 0x1 max 0x7fffffff current 5737
fr_state_maxbucket min 0x1 max 0x7fffffff current 26
fr_statesize * fr_state_maxbucket=5737*26=149162
Each cell represents roughly 1/2k (sizeof(ipstate_t) â?¡ 556)
So the memory used by the state table is:
1/2 * 149162 â?? 75kB
fr_statemax min 0x1 max 0x7fffffff current 4013
So only 4013 of 149162 entries will be used.
If you set fr_state_maxbucket=0, IPF will compute a default value from
fr_statesize as lb(fr_statesize)*2 (i.e:binary logarithm times two), i.e.: lb(5737)*2 in this example
Therefore fr_statemax has been introduced
No comments:
Post a Comment