My first thought is to cron a job, once a minute, to monitor the number of states in `pfctl -s info` ... if any single minute yields an increase of more than 50,000 states, then I flush all states and reload the ruleset.
Is there a better way to contain disaster? With ipfilter, I tweaked kernel settings such as NKMEMCLUSTERS and NMBCLUSTERS to obscenely high numbers (such as 16K). Any other kernel tweaks? Or better yet, anything within pf to directly contain such a state runaway scenario?
Thanks for your time,
jw