[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub and Kernel Panics

On Thu, Nov 14, 2002 at 11:16:42AM +0100, Dries Schellekens wrote:
> I think PR 2309 (pf crashes kernel when pool_get() exhausts memory)
> is still open. So it's still possible to crash a firewall if you don't
> have a state limit set. And apparantly it's possible to crash it even when
> a fragment limit is set.
Yes, pool exhaustion still causes crashes. If you don't set frag/state
limits (or set them too high), you'll get them. It's certainly possible
to fix it, but not exactly trivial. The PR is still open, and art@ knows
about the problem. Set low enough limits (there's no precise formula to
calculate the numbers, but you can verify chosen limits are safe by
sending traffic that creates fragment and stat entries, increasing the
relevant timeouts if needed, during the test).