Date: Wed, 26 Jul 2000 15:45:51 -0500 (CDT) From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/20201: "ipfw show" lists expired dynamic rules Message-ID: <200007262045.PAA35896@cauchy.math.missouri.edu>
next in thread | raw e-mail | index | archive | help
>Number: 20201
>Category: kern
>Synopsis: "ipfw show" lists expired dynamic rules
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 26 13:50:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Stephen Montgomery-Smith
>Release: FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:
When you have installed a ipfw ruleset that includes ones with the keep-state
option set.
>Description:
ipfw show
lists all the dynamic rules, including those that have expired.
Indeed, looking at the code, it seems to me that the only time the
expired rules are cleaned out is when the number of dynamic rules
exceeds net.inet.ip.fw.dyn_max
>How-To-Repeat:
type
ipfw show
>Fix:
My idea is as follows: when the user types
ipfw show
then in sys/netinet/ip_fw.c we should clean out all the expired
rules with a call to remove_dyn_rule(NULL,0). This should have
very low overhead, because we don't type ipfw show very often.
--- /sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000
+++ ip_fw.c Wed Jul 26 15:11:42 2000
@@ -1712,6 +1720,9 @@
switch (sopt->sopt_name) {
case IP_FW_GET:
+#if STATEFUL
+ remove_dyn_rule(NULL, 0 /* expire */);
+#endif
for (fcp = LIST_FIRST(&ip_fw_chain), size = 0; fcp;
fcp = LIST_NEXT(fcp, chain))
size += sizeof *fcp->rule;
>Release-Note:
>Audit-Trail:
>Unformatted:
Stephen Montgomery-Smith
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007262045.PAA35896>