From owner-freebsd-bugs Tue Sep 24 0:30: 9 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8756237B401 for ; Tue, 24 Sep 2002 00:30:05 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31E7143E6E for ; Tue, 24 Sep 2002 00:30:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8O7U5Co053387 for ; Tue, 24 Sep 2002 00:30:05 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8O7U5jg053386; Tue, 24 Sep 2002 00:30:05 -0700 (PDT) Date: Tue, 24 Sep 2002 00:30:05 -0700 (PDT) Message-Id: <200209240730.g8O7U5jg053386@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Maxim Konovalov Subject: Re: bin/43319: ipfw ... to not me Reply-To: Maxim Konovalov Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/43319; it has been noted by GNATS. From: Maxim Konovalov To: Eugene Grosbein Cc: bug-followup@FreeBSD.org, Subject: Re: bin/43319: ipfw ... to not me Date: Tue, 24 Sep 2002 11:29:32 +0400 (MSD) [...] > >Synopsis: ipfw ... to not me [...] > >Environment: > System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD > 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 > eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386 > > >Description: > > ipfw from RELENG_4 shows rules like '... to not me' incorrectly, > it shows '... to me' while kernel contain right structures. > This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in > STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix > this cosmetic but really ugly bug in STABLE. > > >How-To-Repeat: > > ipfw add 60000 allow ip from any to not me > ipfw show 60000 > > >Fix: > > Index: ipfw.c > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v > retrieving revision 1.80.2.23 > diff -u -r1.80.2.23 ipfw.c > --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23 > +++ ipfw.c 3 Sep 2002 01:56:43 -0000 > @@ -276,7 +276,8 @@ > printf(" %u", chain->fw_prot); > > if (chain->fw_flg & IP_FW_F_SME) { > - printf(" from me"); > + printf(" from %sme", > + chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > } else { > printf(" from %s", > chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > @@ -322,7 +323,8 @@ > } > > if (chain->fw_flg & IP_FW_F_DME) { > - printf(" to me"); > + printf(" to %sme", > + chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); > } else { > printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); I suggest a slightly different patch (no functional changes but it matches the code in -current) Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.80.2.23 diff -u -r1.80.2.23 ipfw.c --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23 +++ ipfw.c 24 Sep 2002 07:11:47 -0000 @@ -275,11 +275,11 @@ else printf(" %u", chain->fw_prot); + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); + if (chain->fw_flg & IP_FW_F_SME) { - printf(" from me"); + printf("me"); } else { - printf(" from %s", - chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); adrt = ntohl(chain->fw_smsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { @@ -321,11 +321,11 @@ } } + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); + if (chain->fw_flg & IP_FW_F_DME) { - printf(" to me"); + printf("me"); } else { - printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); - adrt = ntohl(chain->fw_dmsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { adrt = (chain->fw_dst.s_addr); %%% > While you are here, please commit next patch. > It allows use of "ipfw ... limit" feature. Without similar patch > it's nearly impossible to use this feature under load as kernel floods > console and syslog with debug messages. It is a really different issue. There is a semi-related PR, kern/35887. > --- ip_fw.c.orig Fri Jun 21 12:06:23 2002 > +++ ip_fw.c Fri Jun 21 12:24:09 2002 > @@ -701,9 +701,10 @@ > max_pass = 1; /* we need a second pass */ > if (zap == 1 && (pass == 0 || q->count != 0) ) { > zap = 0 ; > - if (pass == 1) /* should not happen */ > + DEB(if (pass == 1) /* should not happen */ > printf("OUCH! cannot remove rule, count %d\n", > q->count); > + ) > } > } > if (zap) { > @@ -989,7 +990,7 @@ > if (parent->count >= conn_limit) { > EXPIRE_DYN_CHAIN(rule); /* try to expire some */ > if (parent->count >= conn_limit) { > - printf("drop session, too many entries\n"); > + DEB(printf("drop session, too many entries\n");) > return 1; > } > } > > Eugene Grosbein > >Release-Note: > >Audit-Trail: > >Unformatted: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message > > -- Maxim Konovalov, maxim@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message