From owner-freebsd-stable  Mon Oct 21  6:53:50 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4EB8337B401
	for <stable@freebsd.org>; Mon, 21 Oct 2002 06:53:48 -0700 (PDT)
Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 16ACC43E4A
	for <stable@freebsd.org>; Mon, 21 Oct 2002 06:53:47 -0700 (PDT)
	(envelope-from maxim@macomnet.ru)
Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14])
	by relay1.macomnet.ru (8.11.6/8.11.6) with ESMTP id g9LDrjc1790080
	for <stable@freebsd.org>; Mon, 21 Oct 2002 17:53:45 +0400 (MSD)
Date: Mon, 21 Oct 2002 17:53:45 +0400 (MSD)
From: Maxim Konovalov <maxim@macomnet.ru>
To: stable@freebsd.org
Subject: Call for testers: ipfw(8) limit patch
Message-ID: <20021021174100.Q1221-100000@news1.macomnet.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


Hello -stable,

A patch below fixes an incorrect logic in remove_dyn_rule() which
produces that famous message "OUCH! cannot remove rule..". The second
part of the patch limits "drop session" message rate.

If you are using or would like to use ipfw(8) limit rules in RELENG_4
please try this patch. Please sent your reports directly to me.

Thanks in advance.

Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.35
diff -u -r1.131.2.35 ip_fw.c
--- ip_fw.c	29 Jul 2002 02:04:25 -0000	1.131.2.35
+++ ip_fw.c	18 Oct 2002 07:32:15 -0000
@@ -696,11 +696,11 @@
 	    if (zap)
 		zap = force || TIME_LEQ( q->expire , time_second );
 	    /* do not zap parent in first pass, record we need a second pass */
-	    if (q->dyn_type == DYN_LIMIT_PARENT) {
+	    if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
 		max_pass = 1; /* we need a second pass */
-		if (zap == 1 && (pass == 0 || q->count != 0) ) {
+		if (pass == 0 || q->count != 0) {
 		    zap = 0 ;
-		    if (pass == 1) /* should not happen */
+		    if (pass == 1 && force) /* should not happen */
 			printf("OUCH! cannot remove rule, count %d\n",
 				q->count);
 		}
@@ -988,7 +988,10 @@
 	if (parent->count >= conn_limit) {
 	    EXPIRE_DYN_CHAIN(rule); /* try to expire some */
 	    if (parent->count >= conn_limit) {
-		printf("drop session, too many entries\n");
+		if (fw_verbose && last_log != time_second) {
+			last_log = time_second;
+			printf("drop session, too many entries\n");
+		}
 		return 1;
 	    }
 	}

%%%

-- 
Maxim Konovalov, MAcomnet, Internet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message