Bug 26366

Summary: ipfw(8) doesn't document which sysctl control dynamic rules
Product: Documentation Reporter: anarcat <anarcat>
Component: Books & ArticlesAssignee: freebsd-doc (Nobody) <doc>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description anarcat 2001-04-05 18:10:01 UTC 
ipfw(8) says:
keep-state [method]
                     Upon a match, the firewall will create a dynamic rule,
                     whose default behaviour is to matching bidirectional
                     traffic between source and destination IP/port using the
                     same protocol.  The rule has a limited lifetime (conĀ­
                     trolled by a set of sysctl(8) variables), and the lifeĀ­
                     time is refreshed every time a matching packet is found.

Note that it mentions sysctl(8) variables, but does not specify which. I have not
been able to find the specification anywhere. In sysctl(8) or anywhere else...

Fix: 

Ahem... It would be something more like a workaround, since I think that
all sysctl should be systematically documented in sysctl(8) or something
like that. Anyhow, here are the sysctls. I don'T know where to put them,
I just put the raw info here. It also seems that sysctl(8) does not feature
descriptions of the sysctl, but I'll put it down here anyways. 

So the format is: variable, flag, description, default value. All 
fields are uint32_t.

dyn_buckets, "Number of dyn. buckets", 256, must be power of 2
dyn_max, "Max number of dyn. rules", 1000
dyn_ack_lifetime, "Lifetime of dyn. rules for acks", 300
dyn_syn_lifetime, "Lifetime of dyn. rules for syn", 20
dyn_fin_lifetime, "Lifetime of dyn. rules for fin", 20
dyn_rst_lifetime, "Lifetime of dyn. rules for rst", 5
dyn_short_lifetime, "Lifetime of dyn. rules for other situations", 30

I find sad that the sysctl variables are not better documented, or am 
I misinformed?
How-To-Repeat: man ipfw
Comment 1 dima 2001-04-05 23:47:19 UTC 
anarcat@tao.ca writes:
> 
> >Number:         26366
> >Category:       docs
> >Synopsis:       ipfw(8) doesn't document which sysctl control dynamic rules
>
> Note that it mentions sysctl(8) variables, but does not specify
> which. I have not been able to find the specification anywhere. In
> sysctl(8) or anywhere else..

No offense, but you can't have looked too hard.  There's a section in
ipfw(8) titled ``SYSCTL VARIABLES'' which documents all the sysctls in
the net.inet.ip.fw tree.  Here's an excerpt:

SYSCTL VARIABLES
     A set of sysctl(8) variables controls the behaviour of the firewall.
     These are shown below together with their default value and meaning:

     net.inet.ip.fw.debug: 1
             Controls debugging messages produced by ipfw.

     net.inet.ip.fw.one_pass: 1
[...]
     net.inet.ip.fw.dyn_buckets: 256

     net.inet.ip.fw.curr_dyn_buckets: 256
             The configured and current size of the hash table used to hold
             dynamic rules.  This must be a power of 2.  The table can only be
             resized when empty, so in order to resize it on the fly you will
             probably have to flush and reload the ruleset.
[...]
Comment 2 anarcat 2001-04-06 00:39:17 UTC 
Er. I'm sorry. <Close that pr!> :)

Apart from that... 

Shouldn't sysctl(8) document all sysctl? :)

Anyways, sorry again for the noise.. Thank you for your politeness. :)

A.

On Thu, 05 Apr 2001, Dima Dorfman wrote:

> anarcat@tao.ca writes:
> > 
> > >Number:         26366
> > >Category:       docs
> > >Synopsis:       ipfw(8) doesn't document which sysctl control dynamic rules
> >
> > Note that it mentions sysctl(8) variables, but does not specify
> > which. I have not been able to find the specification anywhere. In
> > sysctl(8) or anywhere else..
> 
> No offense, but you can't have looked too hard.  There's a section in
> ipfw(8) titled ``SYSCTL VARIABLES'' which documents all the sysctls in
> the net.inet.ip.fw tree.  Here's an excerpt:
> 
> SYSCTL VARIABLES
>      A set of sysctl(8) variables controls the behaviour of the firewall.
>      These are shown below together with their default value and meaning:
> 
>      net.inet.ip.fw.debug: 1
>              Controls debugging messages produced by ipfw.
> 
>      net.inet.ip.fw.one_pass: 1
> [...]
>      net.inet.ip.fw.dyn_buckets: 256
> 
>      net.inet.ip.fw.curr_dyn_buckets: 256
>              The configured and current size of the hash table used to hold
>              dynamic rules.  This must be a power of 2.  The table can only be
>              resized when empty, so in order to resize it on the fly you will
>              probably have to flush and reload the ruleset.
> [...]
Comment 3 dima 2001-04-08 20:51:23 UTC 
anarcat <anarcat@tao.ca> writes:
> Shouldn't sysctl(8) document all sysctl? :)

Perhaps, but no one in their right mind will probably want to maintain
it.  There are currently 588 sysctl's on my -current system, with more
being added every day.  Not to mention semantics being changed.  In
other words: it will become so outdated so quickly that I don't think
it's worth it.

					Dima Dorfman
					dima@unixfreak.org
Comment 4 dd freebsd_committer freebsd_triage 2001-04-08 20:51:45 UTC 
State Changed
From-To: open->closed

Originator reports that he just needed to scroll down a little further.