From owner-freebsd-net@FreeBSD.ORG  Fri Feb 27 06:10:21 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 68AC61065689
	for <net@freebsd.org>; Fri, 27 Feb 2009 06:10:21 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.119.58.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 134268FC21
	for <net@freebsd.org>; Fri, 27 Feb 2009 06:10:20 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id WAA01313
	for <net@freebsd.org>; Thu, 26 Feb 2009 22:41:25 -0700 (MST)
Message-Id: <200902270541.WAA01313@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 26 Feb 2009 22:41:20 -0700
To: net@freebsd.org
From: Brett Glass <brett@lariat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: 
Subject: Recommended additions to ipfw command: increment and verbosity limit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2009 06:10:21 -0000

Everyone:

Reviewing the latest man page for ipfw(8), I see that the only way 
to change the automatic increment for rules is still to set a 
sysctl variable (net.inet.ip.fw.autoinc_step). This was once also 
the case for "one pass" behavior (net.inet.ip.fw.one_pass) as well 
as verbose logging, debugging messages, and the global enable bit 
for the entire firewall. However various "ipfw enable" and "ipfw 
disable" subcommands were added over time to eliminate the need to 
set arcane sysctl variables.

The only two commonly used parameters that are still not settable 
from the ipfw(8) command seem to be autoinc_step and verbose_limit. 
(autoinc_step has to be in the range 1..1000, while verbose_limit 
seems to be able to take any unsigned integer value.)

I'd like to recommend that subcommands be added to set them, not 
only for the sake of consistency but to make it unnecessary to 
circumvent the ipfw command to configure one's firewall. The sysctl 
variables could remain to provide backward compatibility and to 
satisfy the Principle of Least Astonishment. Comments? Should I 
submit code? (Anyone qualified to be a committer should be able to 
make the changes by copying an editing a few lines, but...)

--Brett Glass