[Bug 248088] ipfilter variable substitution in rules & nat file not documented

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Jul 23 15:15:49 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248088

Cy Schubert <cy at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |Not A Bug
             Status|New                         |Closed

--- Comment #1 from Cy Schubert <cy at FreeBSD.org> ---
You misunderstand. The variables are tunables. Many used to be sysctls. There
is no variable expansion in rules like there is in pf.

The variables are there, i.e.

cwfw# ipf -T list | grep active
active  min 0   max 0   current 0
active  min 0   max 0   current 0
cwfw# ipf -T list | grep chksrc
chksrc  min 0   max 1   current 0
chksrc  min 0   max 1   current 0
cwfw# 

cwfw# ipf -T list
ipf_flags       min 0   max 4294967295  current 0
active  min 0   max 0   current 0
control_forwarding      min 0   max 1   current 0
update_ipid     min 0   max 1   current 0
chksrc  min 0   max 1   current 0
min_ttl min 0   max 1   current 4
icmp_minfragmtu min 0   max 1   current 68
default_pass    min 0   max 4294967295  current 134217730
tcp_idle_timeout        min 1   max 2147483647  current 864000
tcp_close_wait  min 1   max 2147483647  current 480
tcp_last_ack    min 1   max 2147483647  current 60
tcp_timeout     min 1   max 2147483647  current 480
tcp_syn_sent    min 1   max 2147483647  current 480
tcp_syn_received        min 1   max 2147483647  current 480
tcp_closed      min 1   max 2147483647  current 60
tcp_half_closed min 1   max 2147483647  current 14400
tcp_time_wait   min 1   max 2147483647  current 480
udp_timeout     min 1   max 2147483647  current 240
udp_ack_timeout min 1   max 2147483647  current 24
icmp_timeout    min 1   max 2147483647  current 120
icmp_ack_timeout        min 1   max 2147483647  current 12
ip_timeout      min 1   max 2147483647  current 120
ipf_flags       min 0   max 4294967295  current 0
active  min 0   max 0   current 0
control_forwarding      min 0   max 1   current 0
update_ipid     min 0   max 1   current 0
chksrc  min 0   max 1   current 0
min_ttl min 0   max 1   current 4
icmp_minfragmtu min 0   max 1   current 68
default_pass    min 0   max 4294967295  current 134217730
tcp_idle_timeout        min 1   max 2147483647  current 864000
tcp_close_wait  min 1   max 2147483647  current 480
tcp_last_ack    min 1   max 2147483647  current 60
tcp_timeout     min 1   max 2147483647  current 480
tcp_syn_sent    min 1   max 2147483647  current 480
tcp_syn_received        min 1   max 2147483647  current 480
tcp_closed      min 1   max 2147483647  current 60
tcp_half_closed min 1   max 2147483647  current 14400
tcp_time_wait   min 1   max 2147483647  current 480
udp_timeout     min 1   max 2147483647  current 240
udp_ack_timeout min 1   max 2147483647  current 24
icmp_timeout    min 1   max 2147483647  current 120
icmp_ack_timeout        min 1   max 2147483647  current 12
ip_timeout      min 1   max 2147483647  current 120
log_suppress    min 0   max 1   current 1
log_all min 0   max 1   current 0
log_size        min 0   max 524288      current 32768
state_max       min 1   max 2147483647  current 4013
state_size      min 1   max 2147483647  current 5737
state_lock      min 0   max 1   current 0
state_maxbucket min 1   max 2147483647  current 26
state_logging   min 0   max 1   current 1
state_wm_high   min 2   max 100 current 99
state_wm_low    min 1   max 99  current 90
state_wm_freq   min 2   max 999999      current 20
nat_lock        min 0   max 1   current 0
nat_table_size  min 1   max 2147483647  current 2047
nat_table_max   min 1   max 2147483647  current 30000
nat_rules_size  min 1   max 2147483647  current 127
rdr_rules_size  min 1   max 2147483647  current 127
hostmap_size    min 1   max 2147483647  current 2047
nat_maxbucket   min 1   max 2147483647  current 22
nat_logging     min 0   max 1   current 1
nat_doflush     min 0   max 1   current 0
nat_table_wm_low        min 1   max 99  current 90
nat_table_wm_high       min 2   max 100 current 99
frag_size       min 1   max 2147483647  current 257
frag_ttl        min 1   max 2147483647  current 120
proxy_debug     min 0   max 31  current 0
ftp_debug       min 0   max 127 current 0
ftp_pasvonly    min 0   max 1   current 0
ftp_insecure    min 0   max 1   current 0
ftp_pasvrdr     min 0   max 1   current 0
ftp_forcepasv   min 0   max 1   current 1
ftp_single_xfer min 0   max 1   current 0
tftp_read_only  min 0   max 1   current 1
ftp_debug       min 0   max 127 current 0
ftp_pasvonly    min 0   max 1   current 0
ftp_insecure    min 0   max 1   current 0
ftp_pasvrdr     min 0   max 1   current 0
ftp_forcepasv   min 0   max 1   current 1
ftp_single_xfer min 0   max 1   current 0
cwfw# 

Some of them are duplicated as sysctls.

cwfw# sysctl net.inet.ipf
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_authsize: 32
net.inet.ipf.ipf_hostmap_sz: 2047
net.inet.ipf.ipf_rdrrules_sz: 127
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_nattable_sz: 2047
net.inet.ipf.ipf_nattable_max: 30000
net.inet.ipf.fr_statemax: 4013
net.inet.ipf.fr_statesize: 5737
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_minttl: 4
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_tcpclosed: 60
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcplastack: 60
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_tcpidletimeout: 864000
net.inet.ipf.fr_active: 0
net.inet.ipf.ipf_pass: 134217730
net.inet.ipf.fr_flags: 0
cwfw# 

You have misunderstood the man pages.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list