Date: Thu, 23 Jul 2020 15:15:48 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 248088] ipfilter variable substitution in rules & nat file not documented Message-ID: <bug-248088-227-3OUwSOYvy7@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-248088-227@https.bugs.freebsd.org/bugzilla/> References: <bug-248088-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248088 Cy Schubert <cy@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |Not A Bug Status|New |Closed --- Comment #1 from Cy Schubert <cy@FreeBSD.org> --- You misunderstand. The variables are tunables. Many used to be sysctls. The= re is no variable expansion in rules like there is in pf. The variables are there, i.e. cwfw# ipf -T list | grep active active min 0 max 0 current 0 active min 0 max 0 current 0 cwfw# ipf -T list | grep chksrc chksrc min 0 max 1 current 0 chksrc min 0 max 1 current 0 cwfw#=20 cwfw# ipf -T list ipf_flags min 0 max 4294967295 current 0 active min 0 max 0 current 0 control_forwarding min 0 max 1 current 0 update_ipid min 0 max 1 current 0 chksrc min 0 max 1 current 0 min_ttl min 0 max 1 current 4 icmp_minfragmtu min 0 max 1 current 68 default_pass min 0 max 4294967295 current 134217730 tcp_idle_timeout min 1 max 2147483647 current 864000 tcp_close_wait min 1 max 2147483647 current 480 tcp_last_ack min 1 max 2147483647 current 60 tcp_timeout min 1 max 2147483647 current 480 tcp_syn_sent min 1 max 2147483647 current 480 tcp_syn_received min 1 max 2147483647 current 480 tcp_closed min 1 max 2147483647 current 60 tcp_half_closed min 1 max 2147483647 current 14400 tcp_time_wait min 1 max 2147483647 current 480 udp_timeout min 1 max 2147483647 current 240 udp_ack_timeout min 1 max 2147483647 current 24 icmp_timeout min 1 max 2147483647 current 120 icmp_ack_timeout min 1 max 2147483647 current 12 ip_timeout min 1 max 2147483647 current 120 ipf_flags min 0 max 4294967295 current 0 active min 0 max 0 current 0 control_forwarding min 0 max 1 current 0 update_ipid min 0 max 1 current 0 chksrc min 0 max 1 current 0 min_ttl min 0 max 1 current 4 icmp_minfragmtu min 0 max 1 current 68 default_pass min 0 max 4294967295 current 134217730 tcp_idle_timeout min 1 max 2147483647 current 864000 tcp_close_wait min 1 max 2147483647 current 480 tcp_last_ack min 1 max 2147483647 current 60 tcp_timeout min 1 max 2147483647 current 480 tcp_syn_sent min 1 max 2147483647 current 480 tcp_syn_received min 1 max 2147483647 current 480 tcp_closed min 1 max 2147483647 current 60 tcp_half_closed min 1 max 2147483647 current 14400 tcp_time_wait min 1 max 2147483647 current 480 udp_timeout min 1 max 2147483647 current 240 udp_ack_timeout min 1 max 2147483647 current 24 icmp_timeout min 1 max 2147483647 current 120 icmp_ack_timeout min 1 max 2147483647 current 12 ip_timeout min 1 max 2147483647 current 120 log_suppress min 0 max 1 current 1 log_all min 0 max 1 current 0 log_size min 0 max 524288 current 32768 state_max min 1 max 2147483647 current 4013 state_size min 1 max 2147483647 current 5737 state_lock min 0 max 1 current 0 state_maxbucket min 1 max 2147483647 current 26 state_logging min 0 max 1 current 1 state_wm_high min 2 max 100 current 99 state_wm_low min 1 max 99 current 90 state_wm_freq min 2 max 999999 current 20 nat_lock min 0 max 1 current 0 nat_table_size min 1 max 2147483647 current 2047 nat_table_max min 1 max 2147483647 current 30000 nat_rules_size min 1 max 2147483647 current 127 rdr_rules_size min 1 max 2147483647 current 127 hostmap_size min 1 max 2147483647 current 2047 nat_maxbucket min 1 max 2147483647 current 22 nat_logging min 0 max 1 current 1 nat_doflush min 0 max 1 current 0 nat_table_wm_low min 1 max 99 current 90 nat_table_wm_high min 2 max 100 current 99 frag_size min 1 max 2147483647 current 257 frag_ttl min 1 max 2147483647 current 120 proxy_debug min 0 max 31 current 0 ftp_debug min 0 max 127 current 0 ftp_pasvonly min 0 max 1 current 0 ftp_insecure min 0 max 1 current 0 ftp_pasvrdr min 0 max 1 current 0 ftp_forcepasv min 0 max 1 current 1 ftp_single_xfer min 0 max 1 current 0 tftp_read_only min 0 max 1 current 1 ftp_debug min 0 max 127 current 0 ftp_pasvonly min 0 max 1 current 0 ftp_insecure min 0 max 1 current 0 ftp_pasvrdr min 0 max 1 current 0 ftp_forcepasv min 0 max 1 current 1 ftp_single_xfer min 0 max 1 current 0 cwfw#=20 Some of them are duplicated as sysctls. cwfw# sysctl net.inet.ipf net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_authsize: 32 net.inet.ipf.ipf_hostmap_sz: 2047 net.inet.ipf.ipf_rdrrules_sz: 127 net.inet.ipf.ipf_natrules_sz: 127 net.inet.ipf.ipf_nattable_sz: 2047 net.inet.ipf.ipf_nattable_max: 30000 net.inet.ipf.fr_statemax: 4013 net.inet.ipf.fr_statesize: 5737 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_minttl: 4 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_udpacktimeout: 24 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_tcpclosed: 60 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcplastack: 60 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_active: 0 net.inet.ipf.ipf_pass: 134217730 net.inet.ipf.fr_flags: 0 cwfw#=20 You have misunderstood the man pages. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248088-227-3OUwSOYvy7>