From owner-freebsd-bugs  Mon Sep 23 23:20: 7 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6110C37B401
	for <freebsd-bugs@hub.freebsd.org>; Mon, 23 Sep 2002 23:20:04 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DAFC43E6A
	for <freebsd-bugs@hub.freebsd.org>; Mon, 23 Sep 2002 23:20:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8O6K3Co034649
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 23 Sep 2002 23:20:03 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8O6K3Ae034648;
	Mon, 23 Sep 2002 23:20:03 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 50E5537B401; Mon, 23 Sep 2002 23:15:26 -0700 (PDT)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A9A9D43E42; Mon, 23 Sep 2002 23:15:24 -0700 (PDT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.12.5/8.12.5) with ESMTP id g8O6FLie095478;
	Tue, 24 Sep 2002 14:15:21 +0800 (KRAST)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.12.5/8.12.5/Submit) id g8O6FKW3095471;
	Tue, 24 Sep 2002 14:15:20 +0800 (KRAST)
Message-Id: <200209240615.g8O6FKW3095471@www.svzserv.kemerovo.su>
Date: Tue, 24 Sep 2002 14:15:20 +0800 (KRAST)
From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Reply-To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: luigi@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/43319: ipfw ... to not me
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         43319
>Category:       bin
>Synopsis:       ipfw ... to not me
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 23 23:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386

>Description:

ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
it shows '... to me' while kernel contain right structures.
This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
this cosmetic but really ugly bug in STABLE.

>How-To-Repeat:

	ipfw add 60000 allow ip from any to not me
	ipfw show 60000

>Fix:

Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.23
diff -u -r1.80.2.23 ipfw.c
--- ipfw.c      13 May 2002 10:14:59 -0000      1.80.2.23
+++ ipfw.c      3 Sep 2002 01:56:43 -0000
@@ -276,7 +276,8 @@
                printf(" %u", chain->fw_prot);

        if (chain->fw_flg & IP_FW_F_SME) {
-               printf(" from me");
+               printf(" from %sme",
+                       chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
        } else {
                printf(" from %s",
                    chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
@@ -322,7 +323,8 @@
        }

        if (chain->fw_flg & IP_FW_F_DME) {
-               printf(" to me");
+               printf(" to %sme",
+                       chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
        } else {
                printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");

While you are here, please commit next patch.
It allows use of "ipfw ... limit" feature. Without similar patch
it's nearly impossible to use this feature under load as kernel floods
console and syslog with debug messages.

--- ip_fw.c.orig        Fri Jun 21 12:06:23 2002
+++ ip_fw.c     Fri Jun 21 12:24:09 2002
@@ -701,9 +701,10 @@
                max_pass = 1; /* we need a second pass */
                if (zap == 1 && (pass == 0 || q->count != 0) ) {
                    zap = 0 ;
-                   if (pass == 1) /* should not happen */
+                   DEB(if (pass == 1) /* should not happen */
                        printf("OUCH! cannot remove rule, count %d\n",
                                q->count);
+                      )
                }
            }
            if (zap) {
@@ -989,7 +990,7 @@
        if (parent->count >= conn_limit) {
            EXPIRE_DYN_CHAIN(rule); /* try to expire some */
            if (parent->count >= conn_limit) {
-               printf("drop session, too many entries\n");
+               DEB(printf("drop session, too many entries\n");)
                return 1;
            }
        }

Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message