Date: Thu, 24 Oct 2002 18:19:24 +0800 From: Eugene Grosbein <eugen@kuzbass.ru> To: Maxim Konovalov <maxim@macomnet.ru> Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch Message-ID: <3DB7C92C.20FBA28@kuzbass.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> <20021023133644.T22644-100000@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > That code is from ipfw2, please discuss this issue with Luigi.
> >
> > I'd suggest using log() instead of printf() in ipfw[2].
>
> Does it suit you?
>
> Index: sys/netinet/ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.131.2.35
> diff -u -r1.131.2.35 ip_fw.c
> --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35
> +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000
> @@ -696,11 +696,11 @@
> if (zap)
> zap = force || TIME_LEQ( q->expire , time_second );
> /* do not zap parent in first pass, record we need a second pass */
> - if (q->dyn_type == DYN_LIMIT_PARENT) {
> + if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
> max_pass = 1; /* we need a second pass */
> - if (zap == 1 && (pass == 0 || q->count != 0) ) {
> + if (pass == 0 || q->count != 0) {
> zap = 0 ;
> - if (pass == 1) /* should not happen */
> + if (pass == 1 && force) /* should not happen */
> printf("OUCH! cannot remove rule, count %d\n",
> q->count);
> }
> @@ -987,8 +987,21 @@
> }
> if (parent->count >= conn_limit) {
> EXPIRE_DYN_CHAIN(rule); /* try to expire some */
> + /*
> + * The expiry might have removed the parent too.
> + * We lookup again, which will re-create if necessary.
> + */
> + parent = lookup_dyn_parent(&id, rule);
> + if (parent == NULL) {
> + printf("add parent failed\n");
> + return 1;
> + }
> if (parent->count >= conn_limit) {
> - printf("drop session, too many entries\n");
> + if (fw_verbose && last_log != time_second) {
> + last_log = time_second;
> + log(LOG_SECURITY | LOG_INFO,
> + "drop session, too many entries\n");
> + }
> return 1;
> }
> }
>
> %%%
I've tried this patch. It doesn't flood a console but it floods syslog :-)
It would be nice to have opportunity to distinguish messages from
'ipfw log' about packets that violate security policy from
messages of this part of code just yelling
Hey! ipfw limit is working!
Hey! ipfw limit is working!
Hey! ipfw limit is working!
And so on :-) syslog compresses these messages but seriously,
I'd like to have a method to eliminate them when they are useless
but keep warnings from 'ipfw log'.
Eugene Grosbein
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB7C92C.20FBA28>