I ran out of space for all my rules, so reduced spacing from 100 to 20. I have not read kernel to check if the kernel might now run out of space somewhere, now I can have more rules, I guess if its doing a malloc it will be OK. It's been running fine with me since at least January 2000 with my 688 rules. I did do a scan of entire /usr/include & /sys for "100" in case somewhere else a programmer has assumed the same 100 but without using a common define, that would have been evil, & deserved to be discovered. Ideally one could convert this 20 to a define & use a sysctl to amend it in the MIB base of net.inet.ip.fw 4.11 has no ip_fw.c *** 3.3-and-3.4-and-4.1.1-to-4.10-not-4.11-RELEASE/src/sys/netinet/ip_fw.c Sun Aug 29 18:29:44 1999 --- new-generic/src/sys/netinet/ip_fw.c Fri Jan 28 11:17:55 2000 *************** *** 1001,1007 **** return(0); } ! /* If entry number is 0, find highest numbered rule and add 100 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) --- 1001,1007 ---- return(0); } ! /* If entry number is 0, find highest numbered rule and add 20 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) # The next patch is for 4.1.1-RELEASE # *************** # *** 1009,1016 **** # else # break; # } # ! if (nbr < IPFW_DEFAULT_RULE - 100) # ! nbr += 100; # ftmp->fw_number = nbr; # } # # --- 1009,1016 ---- # else # break; # } # ! if (nbr < IPFW_DEFAULT_RULE - 20) # ! nbr += 20; # ftmp->fw_number = nbr; # } # # The next patch is for 4.2-RELEASE # *** 1009,1016 **** # else # break; # } # ! if (nbr < IPFW_DEFAULT_RULE - 100) # ! nbr += 100; # ftmp->fw_number = frwl->fw_number = nbr; # } # # --- 1009,1016 ---- # else # break; # } # ! if (nbr < IPFW_DEFAULT_RULE - 20) # ! nbr += 20; # ftmp->fw_number = frwl->fw_number = nbr; # } # *** 4.5-RELEASE/src/sys/netinet/ip_fw.c Mon Jan 7 23:40:22 2002 --- new-generic/src/sys/netinet/ip_fw.c Tue Feb 26 17:33:56 2002 *************** *** 1609,1616 **** else break; } ! if (nbr < IPFW_DEFAULT_RULE - 100) ! nbr += 100; ftmp->fw_number = rule->fw_number = nbr; } --- 1609,1616 ---- else break; } ! if (nbr < IPFW_DEFAULT_RULE - 20) ! nbr += 20; ftmp->fw_number = rule->fw_number = nbr; } # The next patch is just for obsolete old 3.4, # not for 4.1-RELEASE or 4.5-RELEASE # *** 3.4-RELEASE/src/sbin/ipfw/ipfw.8 Wed Oct 20 15:07:36 1999 # --- jhs/src/sbin/ipfw/ipfw.8 Thu Apr 13 11:25:36 2000 # *************** # *** 228,234 **** # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 100 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # --- 228,234 ---- # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 20 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # -------------------------------------------------------------------------------- Files with "100" that I probably can ignore, but not certain, & would appreciate confirmation from someone. sys/netinet/tcp_debug.h #define TCP_NDEBUG 100 sys/kern/kern_sysctl.c k += 100; sys/netinet/ip_divert.c #define DIVSNDQ (65536 + 100) sys/netinet/ip_dummynet.c if (p->queue_size > 100) sys/netipx/spx_debug.h #define SPX_NDEBUG 100 sys/netns/spp_debug.h #define SPP_NDEBUG 100