Date: Wed, 25 Sep 2002 03:40:06 -0700 (PDT) From: Luigi Rizzo <luigi@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/43319: ipfw ... to not me Message-ID: <200209251040.g8PAe6EM089532@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/43319; it has been noted by GNATS. From: Luigi Rizzo <luigi@FreeBSD.org> To: Maxim Konovalov <maxim@FreeBSD.org> Cc: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>, bug-followup@FreeBSD.org Subject: Re: bin/43319: ipfw ... to not me Date: Wed, 25 Sep 2002 03:37:58 -0700 feel free to commit this, i am not going to touch ipfw1 anymore. cheers luigi On Tue, Sep 24, 2002 at 11:29:32AM +0400, Maxim Konovalov wrote: > > [...] > > >Synopsis: ipfw ... to not me > [...] > > >Environment: > > System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD > > 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 > > eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386 > > > > >Description: > > > > ipfw from RELENG_4 shows rules like '... to not me' incorrectly, > > it shows '... to me' while kernel contain right structures. > > This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in > > STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix > > this cosmetic but really ugly bug in STABLE. > > > > >How-To-Repeat: > > > > ipfw add 60000 allow ip from any to not me > > ipfw show 60000 > > > > >Fix: > > > > Index: ipfw.c > > =================================================================== > > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v > > retrieving revision 1.80.2.23 > > diff -u -r1.80.2.23 ipfw.c > > --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23 > > +++ ipfw.c 3 Sep 2002 01:56:43 -0000 > > @@ -276,7 +276,8 @@ > > printf(" %u", chain->fw_prot); > > > > if (chain->fw_flg & IP_FW_F_SME) { > > - printf(" from me"); > > + printf(" from %sme", > > + chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > > } else { > > printf(" from %s", > > chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > > @@ -322,7 +323,8 @@ > > } > > > > if (chain->fw_flg & IP_FW_F_DME) { > > - printf(" to me"); > > + printf(" to %sme", > > + chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); > > } else { > > printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); > > I suggest a slightly different patch (no functional changes but it > matches the code in -current) > > Index: ipfw.c > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v > retrieving revision 1.80.2.23 > diff -u -r1.80.2.23 ipfw.c > --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23 > +++ ipfw.c 24 Sep 2002 07:11:47 -0000 > @@ -275,11 +275,11 @@ > else > printf(" %u", chain->fw_prot); > > + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > + > if (chain->fw_flg & IP_FW_F_SME) { > - printf(" from me"); > + printf("me"); > } else { > - printf(" from %s", > - chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); > > adrt = ntohl(chain->fw_smsk.s_addr); > if (adrt == ULONG_MAX && do_resolv) { > @@ -321,11 +321,11 @@ > } > } > > + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); > + > if (chain->fw_flg & IP_FW_F_DME) { > - printf(" to me"); > + printf("me"); > } else { > - printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); > - > adrt = ntohl(chain->fw_dmsk.s_addr); > if (adrt == ULONG_MAX && do_resolv) { > adrt = (chain->fw_dst.s_addr); > > %%% > > > While you are here, please commit next patch. > > It allows use of "ipfw ... limit" feature. Without similar patch > > it's nearly impossible to use this feature under load as kernel floods > > console and syslog with debug messages. > > It is a really different issue. There is a semi-related PR, > kern/35887. > > > --- ip_fw.c.orig Fri Jun 21 12:06:23 2002 > > +++ ip_fw.c Fri Jun 21 12:24:09 2002 > > @@ -701,9 +701,10 @@ > > max_pass = 1; /* we need a second pass */ > > if (zap == 1 && (pass == 0 || q->count != 0) ) { > > zap = 0 ; > > - if (pass == 1) /* should not happen */ > > + DEB(if (pass == 1) /* should not happen */ > > printf("OUCH! cannot remove rule, count %d\n", > > q->count); > > + ) > > } > > } > > if (zap) { > > @@ -989,7 +990,7 @@ > > if (parent->count >= conn_limit) { > > EXPIRE_DYN_CHAIN(rule); /* try to expire some */ > > if (parent->count >= conn_limit) { > > - printf("drop session, too many entries\n"); > > + DEB(printf("drop session, too many entries\n");) > > return 1; > > } > > } > > > > Eugene Grosbein > > >Release-Note: > > >Audit-Trail: > > >Unformatted: > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-bugs" in the body of the message > > > > > > -- > Maxim Konovalov, maxim@FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209251040.g8PAe6EM089532>