Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Oct 2002 17:53:45 +0400 (MSD)
From:      Maxim Konovalov <maxim@macomnet.ru>
To:        stable@freebsd.org
Subject:   Call for testers: ipfw(8) limit patch
Message-ID:  <20021021174100.Q1221-100000@news1.macomnet.ru>
next in thread | raw e-mail | index | archive | help 

Hello -stable,

A patch below fixes an incorrect logic in remove_dyn_rule() which
produces that famous message "OUCH! cannot remove rule..". The second
part of the patch limits "drop session" message rate.

If you are using or would like to use ipfw(8) limit rules in RELENG_4
please try this patch. Please sent your reports directly to me.

Thanks in advance.

Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.35
diff -u -r1.131.2.35 ip_fw.c
--- ip_fw.c	29 Jul 2002 02:04:25 -0000	1.131.2.35
+++ ip_fw.c	18 Oct 2002 07:32:15 -0000
@@ -696,11 +696,11 @@
 	    if (zap)
 		zap = force || TIME_LEQ( q->expire , time_second );
 	    /* do not zap parent in first pass, record we need a second pass */
-	    if (q->dyn_type == DYN_LIMIT_PARENT) {
+	    if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
 		max_pass = 1; /* we need a second pass */
-		if (zap == 1 && (pass == 0 || q->count != 0) ) {
+		if (pass == 0 || q->count != 0) {
 		    zap = 0 ;
-		    if (pass == 1) /* should not happen */
+		    if (pass == 1 && force) /* should not happen */
 			printf("OUCH! cannot remove rule, count %d\n",
 				q->count);
 		}
@@ -988,7 +988,10 @@
 	if (parent->count >= conn_limit) {
 	    EXPIRE_DYN_CHAIN(rule); /* try to expire some */
 	    if (parent->count >= conn_limit) {
-		printf("drop session, too many entries\n");
+		if (fw_verbose && last_log != time_second) {
+			last_log = time_second;
+			printf("drop session, too many entries\n");
+		}
 		return 1;
 	    }
 	}

%%%

-- 
Maxim Konovalov, MAcomnet, Internet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021021174100.Q1221-100000>