내 방화벽에 max states per rule.
# pfctl -vvsi
Status: Enabled for 0 days 13:05:38 Debug: Urgent
Hostid: 0x6556c6a9
Checksum: 0xe80368af9b3c0a876218cd2af59fbed5
State Table Total Rate
current entries 7614
searches 323053106 6853.3/s
inserts 6650716 141.1/s
removals 6643102 140.9/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 31988315 678.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4702 0.1/s
state-insert 45381 1.0/s
state-limit 13837 0.3/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 13837 0.3/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
위에서 볼 수 있듯이 우리는 다음 state-limits과 같은 이유로 타격을 받고 있습니다.max states per rule
내 최대치는 상당히 큽니다.
# pfctl -sm
states hard limit 550000
src-nodes hard limit 50000
frags hard limit 5000
tables hard limit 5000
table-entries hard limit 400000
하지만 어떻게 늘릴 수 있습니까 max states per rule?
답변1
이것을 시도해 보셨나요?
PF.CONF(5) File Formats Manual PF.CONF(5)
…
STATEFUL TRACKING OPTIONS
A number of options related to stateful tracking can be applied on a per-rule
basis. keep state, modulate state and synproxy state support these options, and
keep state must be specified explicitly to apply options to a rule.
max ⟨number⟩
Limits the number of concurrent states the rule may create. When this
limit is reached, further packets that would create state will not match
this rule until existing states time out.
…