我的防火墙遇到了与 相关的问题max states per rule。
# pfctl -vvsi
Status: Enabled for 0 days 13:05:38 Debug: Urgent
Hostid: 0x6556c6a9
Checksum: 0xe80368af9b3c0a876218cd2af59fbed5
State Table Total Rate
current entries 7614
searches 323053106 6853.3/s
inserts 6650716 141.1/s
removals 6643102 140.9/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 31988315 678.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4702 0.1/s
state-insert 45381 1.0/s
state-limit 13837 0.3/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 13837 0.3/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
正如我们上面看到的,我们之所以受到打击是state-limits因为max states per rule
我的最大值相当大:
# pfctl -sm
states hard limit 550000
src-nodes hard limit 50000
frags hard limit 5000
tables hard limit 5000
table-entries hard limit 400000
但是我怎样才能增加max states per rule?
答案1
你尝试过这个吗?
PF.CONF(5) File Formats Manual PF.CONF(5)
…
STATEFUL TRACKING OPTIONS
A number of options related to stateful tracking can be applied on a per-rule
basis. keep state, modulate state and synproxy state support these options, and
keep state must be specified explicitly to apply options to a rule.
max ⟨number⟩
Limits the number of concurrent states the rule may create. When this
limit is reached, further packets that would create state will not match
this rule until existing states time out.
…