Date: Thu, 24 Oct 2002 10:06:35 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Maxim Konovalov <maxim@macomnet.ru> Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch Message-ID: <3DB755AB.9BB9F9B9@kuzbass.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> <20021023133644.T22644-100000@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Konovalov wrote:
> > I'd suggest using log() instead of printf() in ipfw[2].
>
> Does it suit you?
>
> Index: sys/netinet/ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.131.2.35
> diff -u -r1.131.2.35 ip_fw.c
> --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35
> +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000
> @@ -696,11 +696,11 @@
> if (zap)
> zap = force || TIME_LEQ( q->expire , time_second );
> /* do not zap parent in first pass, record we need a second pass */
> - if (q->dyn_type == DYN_LIMIT_PARENT) {
> + if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
> max_pass = 1; /* we need a second pass */
> - if (zap == 1 && (pass == 0 || q->count != 0) ) {
> + if (pass == 0 || q->count != 0) {
> zap = 0 ;
> - if (pass == 1) /* should not happen */
> + if (pass == 1 && force) /* should not happen */
> printf("OUCH! cannot remove rule, count %d\n",
> q->count);
> }
> @@ -987,8 +987,21 @@
> }
> if (parent->count >= conn_limit) {
> EXPIRE_DYN_CHAIN(rule); /* try to expire some */
> + /*
> + * The expiry might have removed the parent too.
> + * We lookup again, which will re-create if necessary.
> + */
> + parent = lookup_dyn_parent(&id, rule);
> + if (parent == NULL) {
> + printf("add parent failed\n");
> + return 1;
> + }
> if (parent->count >= conn_limit) {
> - printf("drop session, too many entries\n");
> + if (fw_verbose && last_log != time_second) {
> + last_log = time_second;
> + log(LOG_SECURITY | LOG_INFO,
> + "drop session, too many entries\n");
> + }
> return 1;
> }
> }
>
That's look nice. I currently run previos version on your patch
and can't reboot my server to test this next version, sorry.
Eugene
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB755AB.9BB9F9B9>