From owner-freebsd-ipfw Fri Jun 8 8:56: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [209.222.117.162]) by hub.freebsd.org (Postfix) with ESMTP id 20CE537B401 for ; Fri, 8 Jun 2001 08:56:01 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.3/8.11.2) with ESMTP id f58Ftxu81889 for ; Fri, 8 Jun 2001 11:55:59 -0400 (EDT) (envelope-from darren@nighttide.net) Date: Fri, 8 Jun 2001 11:55:59 -0400 (EDT) From: Darren Henderson To: Subject: buckets & sysctl In-Reply-To: <7e96417ea3ae.7ea3ae7e9641@mbox.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I can't seem to get the number of buckets ipfw uses to increase. This is on a 4.3-STABLE machine with kern.securelevel -1 In /etc/sysctl.conf I set net.inet.ip.fw.dyn_buckets=512 net.inet.ip.fw.dyn_max=2000 The dyn_buckets does go to 512 and dyn_max goes to 2000 but the curr_dyn_buckets never goes beyond the default 256. ipfw just doesn't resize the structure, even if all 2000 buckets are used and ipfw is reporting that it can't create any new dynamic rules. The goal here is to have fewer entries in each bucket. How do I convice ipfw to use all the buckets? Does dyn_max have to be a multiple of dyn_buckets? That doesn't appear to be true, (I still can achieve 2000 dynamic rules with the 256 buckets). Is it a timing issue, does dyn_buckets have to be set at some point earlier then sysctl.conf is processed? sysctl -A | grep ip.fw shows the following... net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 512 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 114 net.inet.ip.fw.dyn_max: 2000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 30 Any thoughts appreciated. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message