Date: Tue, 24 Sep 2002 14:15:20 +0800 (KRAST) From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su> To: FreeBSD-gnats-submit@FreeBSD.org Cc: luigi@FreeBSD.org Subject: bin/43319: ipfw ... to not me Message-ID: <200209240615.g8O6FKW3095471@www.svzserv.kemerovo.su>
next in thread | raw e-mail | index | archive | help
>Number: 43319
>Category: bin
>Synopsis: ipfw ... to not me
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 23 23:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Eugene Grosbein
>Release: FreeBSD 4.6-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386
>Description:
ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
it shows '... to me' while kernel contain right structures.
This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
this cosmetic but really ugly bug in STABLE.
>How-To-Repeat:
ipfw add 60000 allow ip from any to not me
ipfw show 60000
>Fix:
Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.23
diff -u -r1.80.2.23 ipfw.c
--- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23
+++ ipfw.c 3 Sep 2002 01:56:43 -0000
@@ -276,7 +276,8 @@
printf(" %u", chain->fw_prot);
if (chain->fw_flg & IP_FW_F_SME) {
- printf(" from me");
+ printf(" from %sme",
+ chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
} else {
printf(" from %s",
chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
@@ -322,7 +323,8 @@
}
if (chain->fw_flg & IP_FW_F_DME) {
- printf(" to me");
+ printf(" to %sme",
+ chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
} else {
printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
While you are here, please commit next patch.
It allows use of "ipfw ... limit" feature. Without similar patch
it's nearly impossible to use this feature under load as kernel floods
console and syslog with debug messages.
--- ip_fw.c.orig Fri Jun 21 12:06:23 2002
+++ ip_fw.c Fri Jun 21 12:24:09 2002
@@ -701,9 +701,10 @@
max_pass = 1; /* we need a second pass */
if (zap == 1 && (pass == 0 || q->count != 0) ) {
zap = 0 ;
- if (pass == 1) /* should not happen */
+ DEB(if (pass == 1) /* should not happen */
printf("OUCH! cannot remove rule, count %d\n",
q->count);
+ )
}
}
if (zap) {
@@ -989,7 +990,7 @@
if (parent->count >= conn_limit) {
EXPIRE_DYN_CHAIN(rule); /* try to expire some */
if (parent->count >= conn_limit) {
- printf("drop session, too many entries\n");
+ DEB(printf("drop session, too many entries\n");)
return 1;
}
}
Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209240615.g8O6FKW3095471>