# Can't seem to get ipfilter_flags in rc.conf working?



## Elshar (Feb 14, 2012)

Hey guys,

Completely virgin FBSD FreeBSD 9 system. Installed from DVD image. 

I need to expand the ipf_nattable_sz and ipf_nattable_max entries. I thought I could just put in what I needed in ipfilter_flags, as such:


```
ipfilter_enable="YES"
ipfilter_flags="-D -T ipf_nattable_sz=10009,ipf_nattable_max=300000 -E"
```

But it doesn't seem to work. It loads ipfilter, but doesn't seem to process what I've passed to flags. Here's the output of `ipf -T list |grep natt`


```
ipf_nattable_sz min 0x1 max 0x7fffffff  current 2047
ipf_nattable_max        min 0x1 max 0x7fffffff  current 30000
```

It remains exactly the same with the rc.conf entry I provided. If I do this:


```
[root@bignat ~]# ipf -D -T ipf_nattable_sz=10009,ipf_nattable_max=300000 -E
```

I get this:


```
[root@bignat ~]# ipf -T list |grep -i natt
ipf_nattable_sz min 0x1 max 0x7fffffff  current 10009
ipf_nattable_max        min 0x1 max 0x7fffffff  current 300000
```

Like I should. I COULD just write a script, dump it into /usr/local/etc/rc.d/, but I'd really rather do this 'properly' in case someone other than me has to maintain this thing if I'm not around. Or even just for myself. Am I missing something? Should I be putting different args into the flags var in rc.conf?

Totally separate issue, but:

I even went so far as to go into /usr/src/sys/modules/ipfilter and do a `make clean && make -DLARGE_NAT depend && make -DLARGE_NAT && make install` but even though during the compile it SHOWS that I used the flag, it doesn't actually increase the table sizes. I even manually modified the Makefile to use the -DLARGE_NAT, still nothing.

Anyone else have experience using the flags in FBSD FreeBD 9.x? Could really use a pointer or two here.

Thanks!


----------



## Elshar (Feb 14, 2012)

I just fixed it. Apparently to start ipfilter to begin with, it needs to have ipfilter_rules set, which it is in /etc/defaults/rc.conf. And because it's set there, you need to either create the one in the default rc.conf, or define it in /etc/rc.conf and create the file you told it.

Also, because it explicitly checks to see if ipfilter_rules is set during the start process, it won't even start ipfilter without ipfilter_rules (At least that I saw), and call your flags option.

So, the fix?


```
touch /etc/ipfilter.rules
```

Now it properly handles the flags option I passed in /etc/rc.conf.

Thanks everyone for watching


----------

