We are building socket filter lists to allow PAM users access to a limited number of remote hosts after logging on to a target device with a Socket Filter Agent (SFA) installed. The remote hosts are not grouped by IP and we may have to add many specific entries in the hosts list for some socket filter lists. Is there a limit on how many host entries can be added, and if so, what is the limit?
There is no limit when defining or importing socket filter lists, and there is no limit for Windows SFAs. However, UNIX/Linux SFAs have a limit of 4096 entries and will drop and not enforce any list exceeding this limit. The limit should be more than sufficient. If access to a very large number of hosts is to be allowed, it should be possible to define netmasks to allow access to ranges of IPs and keep the length of the list much shorter than the number of devices to which access is allowed. This information is accurate as of CA PAM 3.x and may change in future releases.
Please also note, while there is no limit of creating the rules, the data variable used internally is unsigned short int where it can upto be 65,536 value. So any packet length which is greater than 65,536 is truncated to less value. It has nothing to do with number of rows. It has to do with the size of data in bytes.
This will be extened in the future releases(3.2.3/3.3) to 2,147,483,647 bytes, which is signed int.