From nobody@FreeBSD.org  Thu Apr  5 10:02:58 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id E360437B506
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Apr 2001 10:02:57 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f35H2ve61899;
	Thu, 5 Apr 2001 10:02:57 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200104051702.f35H2ve61899@freefall.freebsd.org>
Date: Thu, 5 Apr 2001 10:02:57 -0700 (PDT)
From: anarcat@tao.ca
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw(8) doesn't document which sysctl control dynamic rules
X-Send-Pr-Version: www-1.0

>Number:         26366
>Category:       docs
>Synopsis:       ipfw(8) doesn't document which sysctl control dynamic rules
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 05 10:10:01 PDT 2001
>Closed-Date:    Sun Apr 8 12:51:45 PDT 2001
>Last-Modified:  Sun Apr  8 13:00:03 PDT 2001
>Originator:     The Anarcat
>Release:        FreeBSD-4.2-STABLE
>Organization:
Nada, Inc.
>Environment:
man page cgi interface on www.freebsd.org. :)
>Description:
ipfw(8) says:
keep-state [method]
                     Upon a match, the firewall will create a dynamic rule,
                     whose default behaviour is to matching bidirectional
                     traffic between source and destination IP/port using the
                     same protocol.  The rule has a limited lifetime (con
                     trolled by a set of sysctl(8) variables), and the life
                     time is refreshed every time a matching packet is found.

Note that it mentions sysctl(8) variables, but does not specify which. I have not
been able to find the specification anywhere. In sysctl(8) or anywhere else...
>How-To-Repeat:
man ipfw
>Fix:
Ahem... It would be something more like a workaround, since I think that
all sysctl should be systematically documented in sysctl(8) or something
like that. Anyhow, here are the sysctls. I don'T know where to put them,
I just put the raw info here. It also seems that sysctl(8) does not feature
descriptions of the sysctl, but I'll put it down here anyways. 

So the format is: variable, flag, description, default value. All 
fields are uint32_t.

dyn_buckets, "Number of dyn. buckets", 256, must be power of 2
dyn_max, "Max number of dyn. rules", 1000
dyn_ack_lifetime, "Lifetime of dyn. rules for acks", 300
dyn_syn_lifetime, "Lifetime of dyn. rules for syn", 20
dyn_fin_lifetime, "Lifetime of dyn. rules for fin", 20
dyn_rst_lifetime, "Lifetime of dyn. rules for rst", 5
dyn_short_lifetime, "Lifetime of dyn. rules for other situations", 30

I find sad that the sysctl variables are not better documented, or am 
I misinformed?
>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: anarcat@tao.ca
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: docs/26366: ipfw(8) doesn't document which sysctl control dynamic rules 
Date: Thu, 05 Apr 2001 15:47:19 -0700

 anarcat@tao.ca writes:
 > 
 > >Number:         26366
 > >Category:       docs
 > >Synopsis:       ipfw(8) doesn't document which sysctl control dynamic rules
 >
 > Note that it mentions sysctl(8) variables, but does not specify
 > which. I have not been able to find the specification anywhere. In
 > sysctl(8) or anywhere else..
 
 No offense, but you can't have looked too hard.  There's a section in
 ipfw(8) titled ``SYSCTL VARIABLES'' which documents all the sysctls in
 the net.inet.ip.fw tree.  Here's an excerpt:
 
 SYSCTL VARIABLES
      A set of sysctl(8) variables controls the behaviour of the firewall.
      These are shown below together with their default value and meaning:
 
      net.inet.ip.fw.debug: 1
              Controls debugging messages produced by ipfw.
 
      net.inet.ip.fw.one_pass: 1
 [...]
      net.inet.ip.fw.dyn_buckets: 256
 
      net.inet.ip.fw.curr_dyn_buckets: 256
              The configured and current size of the hash table used to hold
              dynamic rules.  This must be a power of 2.  The table can only be
              resized when empty, so in order to resize it on the fly you will
              probably have to flush and reload the ruleset.
 [...]

From: anarcat <anarcat@tao.ca>
To: Dima Dorfman <dima@unixfreak.org>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: docs/26366: ipfw(8) doesn't document which sysctl control dynamic rules
Date: Thu, 5 Apr 2001 18:39:17 -0500

 --Nq2Wo0NMKNjxTN9z
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Er. I'm sorry. <Close that pr!> :)
 
 Apart from that...=20
 
 Shouldn't sysctl(8) document all sysctl? :)
 
 Anyways, sorry again for the noise.. Thank you for your politeness. :)
 
 A.
 
 On Thu, 05 Apr 2001, Dima Dorfman wrote:
 
 > anarcat@tao.ca writes:
 > >=20
 > > >Number:         26366
 > > >Category:       docs
 > > >Synopsis:       ipfw(8) doesn't document which sysctl control dynamic =
 rules
 > >
 > > Note that it mentions sysctl(8) variables, but does not specify
 > > which. I have not been able to find the specification anywhere. In
 > > sysctl(8) or anywhere else..
 >=20
 > No offense, but you can't have looked too hard.  There's a section in
 > ipfw(8) titled ``SYSCTL VARIABLES'' which documents all the sysctls in
 > the net.inet.ip.fw tree.  Here's an excerpt:
 >=20
 > SYSCTL VARIABLES
 >      A set of sysctl(8) variables controls the behaviour of the firewall.
 >      These are shown below together with their default value and meaning:
 >=20
 >      net.inet.ip.fw.debug: 1
 >              Controls debugging messages produced by ipfw.
 >=20
 >      net.inet.ip.fw.one_pass: 1
 > [...]
 >      net.inet.ip.fw.dyn_buckets: 256
 >=20
 >      net.inet.ip.fw.curr_dyn_buckets: 256
 >              The configured and current size of the hash table used to ho=
 ld
 >              dynamic rules.  This must be a power of 2.  The table can on=
 ly be
 >              resized when empty, so in order to resize it on the fly you =
 will
 >              probably have to flush and reload the ruleset.
 > [...]
 
 --Nq2Wo0NMKNjxTN9z
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.0 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAjrNAiMACgkQ7uV99pHLOSLCkwCeO6MjWDlmV6IXFZFWE04JpVFT
 bq4AoL9txeFFmbX2YnbfL4b/3rCx/qMj
 =+ZRH
 -----END PGP SIGNATURE-----
 
 --Nq2Wo0NMKNjxTN9z--
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Sun Apr 8 12:51:45 PDT 2001 
State-Changed-Why:  
Originator reports that he just needed to scroll down a little further. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26366 

From: Dima Dorfman <dima@unixfreak.org>
To: anarcat <anarcat@tao.ca>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: docs/26366: ipfw(8) doesn't document which sysctl control dynamic rules 
Date: Sun, 08 Apr 2001 12:51:23 -0700

 anarcat <anarcat@tao.ca> writes:
 > Shouldn't sysctl(8) document all sysctl? :)
 
 Perhaps, but no one in their right mind will probably want to maintain
 it.  There are currently 588 sysctl's on my -current system, with more
 being added every day.  Not to mention semantics being changed.  In
 other words: it will become so outdated so quickly that I don't think
 it's worth it.
 
 					Dima Dorfman
 					dima@unixfreak.org
 
>Unformatted:
