Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jul 2002 06:25:19 -0400
From:      Dan Pelleg <daniel+bsd@pelleg.org>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@freebsd.org
Subject:   Re: ipfw2 patches for -stable available
Message-ID:  <15660.2959.142937.827544@gargle.gargle.HOWL>
In-Reply-To: <20020709221347.A91104@iguana.icir.org>
References:  <20020709023203.A83270@iguana.icir.org> <u2sy9ckpbo1.fsf@gs166.sp.cs.cmu.edu> <20020709221347.A91104@iguana.icir.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Luigi Rizzo writes:
 > Hi Dan,
 > thanks for the report:
 > 
 > > I've only used it briefly. For now it looks ok, with the following observations:
 > > 
 > > 1) the "icmptype" option doesn't seem to be supported
 > 
 > the manpage lists "icmptypes" (plural) as the option keyword,
 > though it is true that the previous code allowed abbreviations
 > (but those could be ambiguous). I am not sure whether or
 > not it is the case to fix it -- for sure i can add "icmptype"
 > as an alias for "icmptypes"
 > 

I see. While both choices are reasonable, this change has the potential of
causing a lot of grief to people who find their rulesets altered. If we're
dropping abbreviations, maybe it's a good idea to provide a
search-and-replace script to convert existing rule scripts. Maybe even
offer it as part of mergemaster (if that's at all possible - I don't know).

 > > 3) I'm getting lots of "/kernel: install_state: entry already present,
 > > done"  (related to (2)?).
 > 
 > this one i cannot reproduce, do you have a small ruleset and
 > input example to send me so i can try and reproduce the problem ?
 > 

That's easy:

sh /etc/rc.firewall closed

ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40
ipfw add 600 pass udp from me to any keep-state limit src-addr dst-port 40


 Now just fire up Mozilla (which opens lots of connections in rapid
succession) and watch the logs.



I have another bug to report. The following causes a segfault on a
DUMMYNET-less machine:

ipfw queue 1 config pipe 10 weight 100 mask src-ip 0xffffffff

note that if you drop the mask speficier, then it just tells you:

ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol not available

as it should.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?15660.2959.142937.827544>