From owner-freebsd-stable Wed Oct 23 19: 7: 0 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30AA237B401 for ; Wed, 23 Oct 2002 19:06:58 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 802BC43E65 for ; Wed, 23 Oct 2002 19:06:55 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.12.6/8.12.5) with ESMTP id g9O26nvv026187; Thu, 24 Oct 2002 10:06:50 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <3DB755AB.9BB9F9B9@kuzbass.ru> Date: Thu, 24 Oct 2002 10:06:35 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.79 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Maxim Konovalov Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> <20021023133644.T22644-100000@news1.macomnet.ru> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Maxim Konovalov wrote: > > I'd suggest using log() instead of printf() in ipfw[2]. > > Does it suit you? > > Index: sys/netinet/ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.35 > diff -u -r1.131.2.35 ip_fw.c > --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35 > +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000 > @@ -696,11 +696,11 @@ > if (zap) > zap = force || TIME_LEQ( q->expire , time_second ); > /* do not zap parent in first pass, record we need a second pass */ > - if (q->dyn_type == DYN_LIMIT_PARENT) { > + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { > max_pass = 1; /* we need a second pass */ > - if (zap == 1 && (pass == 0 || q->count != 0) ) { > + if (pass == 0 || q->count != 0) { > zap = 0 ; > - if (pass == 1) /* should not happen */ > + if (pass == 1 && force) /* should not happen */ > printf("OUCH! cannot remove rule, count %d\n", > q->count); > } > @@ -987,8 +987,21 @@ > } > if (parent->count >= conn_limit) { > EXPIRE_DYN_CHAIN(rule); /* try to expire some */ > + /* > + * The expiry might have removed the parent too. > + * We lookup again, which will re-create if necessary. > + */ > + parent = lookup_dyn_parent(&id, rule); > + if (parent == NULL) { > + printf("add parent failed\n"); > + return 1; > + } > if (parent->count >= conn_limit) { > - printf("drop session, too many entries\n"); > + if (fw_verbose && last_log != time_second) { > + last_log = time_second; > + log(LOG_SECURITY | LOG_INFO, > + "drop session, too many entries\n"); > + } > return 1; > } > } > That's look nice. I currently run previos version on your patch and can't reboot my server to test this next version, sorry. Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message