Date: Wed, 26 Jul 2000 15:45:51 -0500 (CDT) From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/20201: "ipfw show" lists expired dynamic rules Message-ID: <200007262045.PAA35896@cauchy.math.missouri.edu>
next in thread | raw e-mail | index | archive | help
>Number: 20201 >Category: kern >Synopsis: "ipfw show" lists expired dynamic rules >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 26 13:50:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Stephen Montgomery-Smith >Release: FreeBSD 4.1-RC i386 >Organization: University of Missouri >Environment: When you have installed a ipfw ruleset that includes ones with the keep-state option set. >Description: ipfw show lists all the dynamic rules, including those that have expired. Indeed, looking at the code, it seems to me that the only time the expired rules are cleaned out is when the number of dynamic rules exceeds net.inet.ip.fw.dyn_max >How-To-Repeat: type ipfw show >Fix: My idea is as follows: when the user types ipfw show then in sys/netinet/ip_fw.c we should clean out all the expired rules with a call to remove_dyn_rule(NULL,0). This should have very low overhead, because we don't type ipfw show very often. --- /sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000 +++ ip_fw.c Wed Jul 26 15:11:42 2000 @@ -1712,6 +1720,9 @@ switch (sopt->sopt_name) { case IP_FW_GET: +#if STATEFUL + remove_dyn_rule(NULL, 0 /* expire */); +#endif for (fcp = LIST_FIRST(&ip_fw_chain), size = 0; fcp; fcp = LIST_NEXT(fcp, chain)) size += sizeof *fcp->rule; >Release-Note: >Audit-Trail: >Unformatted: Stephen Montgomery-Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007262045.PAA35896>