Date: Wed, 25 Sep 2002 03:40:06 -0700 (PDT) From: Luigi Rizzo <luigi@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/43319: ipfw ... to not me Message-ID: <200209251040.g8PAe6EM089532@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/43319; it has been noted by GNATS.
From: Luigi Rizzo <luigi@FreeBSD.org>
To: Maxim Konovalov <maxim@FreeBSD.org>
Cc: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>,
bug-followup@FreeBSD.org
Subject: Re: bin/43319: ipfw ... to not me
Date: Wed, 25 Sep 2002 03:37:58 -0700
feel free to commit this, i am not going to touch ipfw1 anymore.
cheers
luigi
On Tue, Sep 24, 2002 at 11:29:32AM +0400, Maxim Konovalov wrote:
>
> [...]
> > >Synopsis: ipfw ... to not me
> [...]
> > >Environment:
> > System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD
> > 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002
> > eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386
> >
> > >Description:
> >
> > ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
> > it shows '... to me' while kernel contain right structures.
> > This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
> > STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
> > this cosmetic but really ugly bug in STABLE.
> >
> > >How-To-Repeat:
> >
> > ipfw add 60000 allow ip from any to not me
> > ipfw show 60000
> >
> > >Fix:
> >
> > Index: ipfw.c
> > ===================================================================
> > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
> > retrieving revision 1.80.2.23
> > diff -u -r1.80.2.23 ipfw.c
> > --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23
> > +++ ipfw.c 3 Sep 2002 01:56:43 -0000
> > @@ -276,7 +276,8 @@
> > printf(" %u", chain->fw_prot);
> >
> > if (chain->fw_flg & IP_FW_F_SME) {
> > - printf(" from me");
> > + printf(" from %sme",
> > + chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
> > } else {
> > printf(" from %s",
> > chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
> > @@ -322,7 +323,8 @@
> > }
> >
> > if (chain->fw_flg & IP_FW_F_DME) {
> > - printf(" to me");
> > + printf(" to %sme",
> > + chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
> > } else {
> > printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
>
> I suggest a slightly different patch (no functional changes but it
> matches the code in -current)
>
> Index: ipfw.c
> ===================================================================
> RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
> retrieving revision 1.80.2.23
> diff -u -r1.80.2.23 ipfw.c
> --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23
> +++ ipfw.c 24 Sep 2002 07:11:47 -0000
> @@ -275,11 +275,11 @@
> else
> printf(" %u", chain->fw_prot);
>
> + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
> +
> if (chain->fw_flg & IP_FW_F_SME) {
> - printf(" from me");
> + printf("me");
> } else {
> - printf(" from %s",
> - chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
>
> adrt = ntohl(chain->fw_smsk.s_addr);
> if (adrt == ULONG_MAX && do_resolv) {
> @@ -321,11 +321,11 @@
> }
> }
>
> + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
> +
> if (chain->fw_flg & IP_FW_F_DME) {
> - printf(" to me");
> + printf("me");
> } else {
> - printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
> -
> adrt = ntohl(chain->fw_dmsk.s_addr);
> if (adrt == ULONG_MAX && do_resolv) {
> adrt = (chain->fw_dst.s_addr);
>
> %%%
>
> > While you are here, please commit next patch.
> > It allows use of "ipfw ... limit" feature. Without similar patch
> > it's nearly impossible to use this feature under load as kernel floods
> > console and syslog with debug messages.
>
> It is a really different issue. There is a semi-related PR,
> kern/35887.
>
> > --- ip_fw.c.orig Fri Jun 21 12:06:23 2002
> > +++ ip_fw.c Fri Jun 21 12:24:09 2002
> > @@ -701,9 +701,10 @@
> > max_pass = 1; /* we need a second pass */
> > if (zap == 1 && (pass == 0 || q->count != 0) ) {
> > zap = 0 ;
> > - if (pass == 1) /* should not happen */
> > + DEB(if (pass == 1) /* should not happen */
> > printf("OUCH! cannot remove rule, count %d\n",
> > q->count);
> > + )
> > }
> > }
> > if (zap) {
> > @@ -989,7 +990,7 @@
> > if (parent->count >= conn_limit) {
> > EXPIRE_DYN_CHAIN(rule); /* try to expire some */
> > if (parent->count >= conn_limit) {
> > - printf("drop session, too many entries\n");
> > + DEB(printf("drop session, too many entries\n");)
> > return 1;
> > }
> > }
> >
> > Eugene Grosbein
> > >Release-Note:
> > >Audit-Trail:
> > >Unformatted:
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-bugs" in the body of the message
> >
> >
>
> --
> Maxim Konovalov, maxim@FreeBSD.org
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209251040.g8PAe6EM089532>