Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Jun 2001 21:40:11 -0400 (EDT)
From:      Darren Henderson <>
To:        Luigi Rizzo <>
Cc:        <>
Subject:   Re: buckets & sysctl
Message-ID:  <Pine.BSF.4.30.0106182128150.552-100000@localhost>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


Got a chance to try the change to ipfw you mentioned in your message,
(see below).

There are mixxed results.

This does allow you to effect the number of buckets in use at boot time
through /etc/sysctl.conf and everything appears to work fine. I do see a
number of buckets that aren't being used but that may change as the system
runs. Would expect the hash distribution to be flatter after a few hours.

However, this does not appear to allow you to change the number of buckets
in use after the system is up. It may be operator error...I may not be
doing the right things to cause that bit of code to be re-executed. I
flush the ipfw rules and then use sysctl to write a new value and then
rerun my firewall rules to load things back in there. The current bucket
count remains unchanged.

I don't know the code so I can't really hazard much of a guess. Could it
perhaps be the default deny rule that messes things up? I would have
guessed that the prohibition in the man page about resetting this while
there were rule applied to the dynamic rules and not the static ones
though. Not sure when the bit of code you discussed below is executed.

At any rate it does allow one to reset the number of buckets at boot time
which is certainly a step forward, thank you. I'll let you know if I
observer any adverse effects over the next few days.

Now if I can figure out how to keep to two dynamic rules from being
created for natd' packets...

- Darren

On Sat, 9 Jun 2001, Luigi Rizzo wrote:

> >
> > I can't seem to get the number of buckets ipfw uses to increase.
> you are right, there is some bug in the part of code which handles
> updates to dyn_buckets.
> The actual variable used is curr_dyn_buckets, which in my intentions
> should be set to the power of 2 closest to dyn_buckets -- but as
> you can see in the code there is no place where the variable is
> actually set. This should be done in add_dyn_rule, probably something
> like this in /sys/netinet/ip_fw.c
>       u_int32_t i = dyn_buckets ;
>        while ( i > 0 && (i & 1) == 0 )
>            i >>= 1 ;
>        if (i != 1) /* not a power of 2 */
>            dyn_buckets = curr_dyn_buckets ; /* reset */
>        else {
> +          curr_dyn_buckets = dyn_buckets ; /* update */
>            if (ipfw_dyn_v != NULL)
>                 free(ipfw_dyn_v, M_IPFW);
>            ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r,
> but i want to look at the code a bit more carefully before committing this.
> If you want to test this patch, i'd be glad to know how it works
> for you.
> 	cheers
> 	luigi
> -----------------------------------+-------------------------------------
>   Luigi RIZZO,  . Dip. di Ing. dell'Informazione
>  . Universita` di Pisa
>   TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)
>   Mobile   +39-347-0373137
> -----------------------------------+-------------------------------------

Darren Henderson                        

                   Help fight junk e-mail, visit

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>