Dynamic kernel tables

IPFIRE, to keep track of stateful connections, as well as network address translated ones, allocates dynamically a teble for each connection. Such tables are defined in header files ipfi.h, ipfi_machine.h and ipfi_translation.h. As one can see inspecting sources, dynamic tables are loaded into memory having a timer initialized. Timers are refreshed when a packet matches a table. So connections are kept alive if packets continue to flow at least every timeout seconds.
The kernel firewall keeps a counter for each entry of dynamic tables: a counter is for log tables, one for state tables, one for natted connections. When counter reaches the maximum value allowed, no more elements are dynamically allocated, until another entry decays and decreases corresponding counter. This is done so that Denial Of Service attacks are avoided. If no upper limit was put on the number of tables, it would be relatively easy to create a huge number of connection and saturate system memory.
Administrator should take care of this aspect, and user interface helps him by printing at startup the maximum memory consumed in the worst case. He should set timeout and upper limit variables taking in count system resources and network load. To setup values, see configuration files chapter.

When counters reach upper bound, event is logged to syslog.
As you can observe in the screenshot above, at ipfire startup, time information is shown, in seconds. Note that, for state tables lifetime, it is possible to specify a particular value for established connection timer and another one for setup or shutdown phase. This allows to setup a shorter timeout when connection is closing or starting, but not established.