Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Jul 2003 05:47:12 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        Tim Wilde <twilde@dyndns.org>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw2: core dump with large { ip or ip2 } block
Message-ID:  <20030701054712.C34275@xorpc.icir.org>
In-Reply-To: <Pine.BSF.4.53.0307010119120.49846@manganese.bos.dyndns.org>; from twilde@dyndns.org on Tue, Jul 01, 2003 at 01:20:38AM -0400
References:  <Pine.BSF.4.53.0307010119120.49846@manganese.bos.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
There is a somewhat arbitrary limit (imposed by /sbin/ipfw I believe)
of some 1KB for each ipfw2 rule.  Surely /sbin/ipfw should terminate
gracefully rather than dumping core (and i think someone submitted
patches to fix this).

This said, however, I don't believe having such huge OR-blocks
are the best way to program the firewall, because the code
will have to sequentially scan the list. You'd be much better off
in splitting the list into smaller ones and jumping to them
using subnets, or if several of these addresses are on the
same /24 or smaller subnet, use the 1.2.3.4/24{1,40-50,76,99} type of
construct.

	cheers
	luigi

On Tue, Jul 01, 2003 at 01:20:38AM -0400, Tim Wilde wrote:
> When trying to add a rule with a very large (>>100 IPs) { ip or ip2 or ...
> } block with ipfw2 I run into a core dump - I looked through the manpage
> and couldn't find any reference to a limit of number of IPs in one rule
> with or, is there such a limit, or am I running into a bug?  If so, how
> should I go about making a non-stripped ipfw binary so I can provide a
> useful backtrace?  Thanks.
> 
> Tim Wilde
> 
> -- 
> Tim Wilde
> twilde@dyndns.org
> Systems Administrator
> Dynamic DNS Network Services
> http://www.dyndns.org/
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030701054712.C34275>