Date: Tue, 03 Aug 2004 16:33:18 GMT From: Mark <admin@asarian-host.net> To: <freebsd-questions@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: One OR MORE of source and destination addresses? Message-ID: <200408031633.I73GXIBP038908@asarian-host.net> References: <20040803105731.197c7cd0.wmoran@potentialtech.com> <200408031601.I73G1NQE037756@asarian-host.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark wrote: > Bill Moran wrote: > >> How about using skipto instead of allow? Thus, if it passes the >> first one, it can just skipto the next rule to be checked. i.e.: >> >> ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 >> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 >> >> Thus, if rule 11 pases, it skips to rule 12. If it fails, it should >> reject as always. The end result is that a packet _must_ pass both >> rules to be allowed. > > I spoke too soon. :( It seems this sort of rules evokes a bug: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html > > My whole console is flooded with messages like these: > > "ipfw: install_state: entry already present, done" > > Is there a known patch? I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf("ipfw: install_state: entry already present, done\n"); } return 0; } What if I just hack the "printf ..." line out of there? Would that 'solve' it? I know it's dirty; but would things still work? Thanks, - Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408031633.I73GXIBP038908>