Date: Tue, 1 Jul 2003 05:47:12 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Tim Wilde <twilde@dyndns.org> Cc: ipfw@freebsd.org Subject: Re: ipfw2: core dump with large { ip or ip2 } block Message-ID: <20030701054712.C34275@xorpc.icir.org> In-Reply-To: <Pine.BSF.4.53.0307010119120.49846@manganese.bos.dyndns.org>; from twilde@dyndns.org on Tue, Jul 01, 2003 at 01:20:38AM -0400 References: <Pine.BSF.4.53.0307010119120.49846@manganese.bos.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
There is a somewhat arbitrary limit (imposed by /sbin/ipfw I believe) of some 1KB for each ipfw2 rule. Surely /sbin/ipfw should terminate gracefully rather than dumping core (and i think someone submitted patches to fix this). This said, however, I don't believe having such huge OR-blocks are the best way to program the firewall, because the code will have to sequentially scan the list. You'd be much better off in splitting the list into smaller ones and jumping to them using subnets, or if several of these addresses are on the same /24 or smaller subnet, use the 1.2.3.4/24{1,40-50,76,99} type of construct. cheers luigi On Tue, Jul 01, 2003 at 01:20:38AM -0400, Tim Wilde wrote: > When trying to add a rule with a very large (>>100 IPs) { ip or ip2 or ... > } block with ipfw2 I run into a core dump - I looked through the manpage > and couldn't find any reference to a limit of number of IPs in one rule > with or, is there such a limit, or am I running into a bug? If so, how > should I go about making a non-stripped ipfw binary so I can provide a > useful backtrace? Thanks. > > Tim Wilde > > -- > Tim Wilde > twilde@dyndns.org > Systems Administrator > Dynamic DNS Network Services > http://www.dyndns.org/ > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030701054712.C34275>