Date: Thu, 24 Oct 2002 10:06:35 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Maxim Konovalov <maxim@macomnet.ru> Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch Message-ID: <3DB755AB.9BB9F9B9@kuzbass.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> <20021023133644.T22644-100000@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Konovalov wrote: > > I'd suggest using log() instead of printf() in ipfw[2]. > > Does it suit you? > > Index: sys/netinet/ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.35 > diff -u -r1.131.2.35 ip_fw.c > --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35 > +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000 > @@ -696,11 +696,11 @@ > if (zap) > zap = force || TIME_LEQ( q->expire , time_second ); > /* do not zap parent in first pass, record we need a second pass */ > - if (q->dyn_type == DYN_LIMIT_PARENT) { > + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { > max_pass = 1; /* we need a second pass */ > - if (zap == 1 && (pass == 0 || q->count != 0) ) { > + if (pass == 0 || q->count != 0) { > zap = 0 ; > - if (pass == 1) /* should not happen */ > + if (pass == 1 && force) /* should not happen */ > printf("OUCH! cannot remove rule, count %d\n", > q->count); > } > @@ -987,8 +987,21 @@ > } > if (parent->count >= conn_limit) { > EXPIRE_DYN_CHAIN(rule); /* try to expire some */ > + /* > + * The expiry might have removed the parent too. > + * We lookup again, which will re-create if necessary. > + */ > + parent = lookup_dyn_parent(&id, rule); > + if (parent == NULL) { > + printf("add parent failed\n"); > + return 1; > + } > if (parent->count >= conn_limit) { > - printf("drop session, too many entries\n"); > + if (fw_verbose && last_log != time_second) { > + last_log = time_second; > + log(LOG_SECURITY | LOG_INFO, > + "drop session, too many entries\n"); > + } > return 1; > } > } > That's look nice. I currently run previos version on your patch and can't reboot my server to test this next version, sorry. Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB755AB.9BB9F9B9>