Date: Tue, 24 Sep 2002 00:30:05 -0700 (PDT) From: Maxim Konovalov <maxim@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/43319: ipfw ... to not me Message-ID: <200209240730.g8O7U5jg053386@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/43319; it has been noted by GNATS.
From: Maxim Konovalov <maxim@FreeBSD.org>
To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Cc: bug-followup@FreeBSD.org, <luigi@FreeBSD.org>
Subject: Re: bin/43319: ipfw ... to not me
Date: Tue, 24 Sep 2002 11:29:32 +0400 (MSD)
[...]
> >Synopsis: ipfw ... to not me
[...]
> >Environment:
> System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD
> 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002
> eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386
>
> >Description:
>
> ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
> it shows '... to me' while kernel contain right structures.
> This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
> STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
> this cosmetic but really ugly bug in STABLE.
>
> >How-To-Repeat:
>
> ipfw add 60000 allow ip from any to not me
> ipfw show 60000
>
> >Fix:
>
> Index: ipfw.c
> ===================================================================
> RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
> retrieving revision 1.80.2.23
> diff -u -r1.80.2.23 ipfw.c
> --- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23
> +++ ipfw.c 3 Sep 2002 01:56:43 -0000
> @@ -276,7 +276,8 @@
> printf(" %u", chain->fw_prot);
>
> if (chain->fw_flg & IP_FW_F_SME) {
> - printf(" from me");
> + printf(" from %sme",
> + chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
> } else {
> printf(" from %s",
> chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
> @@ -322,7 +323,8 @@
> }
>
> if (chain->fw_flg & IP_FW_F_DME) {
> - printf(" to me");
> + printf(" to %sme",
> + chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
> } else {
> printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
I suggest a slightly different patch (no functional changes but it
matches the code in -current)
Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.23
diff -u -r1.80.2.23 ipfw.c
--- ipfw.c 13 May 2002 10:14:59 -0000 1.80.2.23
+++ ipfw.c 24 Sep 2002 07:11:47 -0000
@@ -275,11 +275,11 @@
else
printf(" %u", chain->fw_prot);
+ printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
+
if (chain->fw_flg & IP_FW_F_SME) {
- printf(" from me");
+ printf("me");
} else {
- printf(" from %s",
- chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
adrt = ntohl(chain->fw_smsk.s_addr);
if (adrt == ULONG_MAX && do_resolv) {
@@ -321,11 +321,11 @@
}
}
+ printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
+
if (chain->fw_flg & IP_FW_F_DME) {
- printf(" to me");
+ printf("me");
} else {
- printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
-
adrt = ntohl(chain->fw_dmsk.s_addr);
if (adrt == ULONG_MAX && do_resolv) {
adrt = (chain->fw_dst.s_addr);
%%%
> While you are here, please commit next patch.
> It allows use of "ipfw ... limit" feature. Without similar patch
> it's nearly impossible to use this feature under load as kernel floods
> console and syslog with debug messages.
It is a really different issue. There is a semi-related PR,
kern/35887.
> --- ip_fw.c.orig Fri Jun 21 12:06:23 2002
> +++ ip_fw.c Fri Jun 21 12:24:09 2002
> @@ -701,9 +701,10 @@
> max_pass = 1; /* we need a second pass */
> if (zap == 1 && (pass == 0 || q->count != 0) ) {
> zap = 0 ;
> - if (pass == 1) /* should not happen */
> + DEB(if (pass == 1) /* should not happen */
> printf("OUCH! cannot remove rule, count %d\n",
> q->count);
> + )
> }
> }
> if (zap) {
> @@ -989,7 +990,7 @@
> if (parent->count >= conn_limit) {
> EXPIRE_DYN_CHAIN(rule); /* try to expire some */
> if (parent->count >= conn_limit) {
> - printf("drop session, too many entries\n");
> + DEB(printf("drop session, too many entries\n");)
> return 1;
> }
> }
>
> Eugene Grosbein
> >Release-Note:
> >Audit-Trail:
> >Unformatted:
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-bugs" in the body of the message
>
>
--
Maxim Konovalov, maxim@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209240730.g8O7U5jg053386>