From owner-freebsd-bugs  Mon Sep 30  6:50: 6 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7ACA037B401
	for <freebsd-bugs@hub.freebsd.org>; Mon, 30 Sep 2002 06:50:04 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3559F43E42
	for <freebsd-bugs@hub.freebsd.org>; Mon, 30 Sep 2002 06:50:04 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8UDo3Co013047
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 30 Sep 2002 06:50:03 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8UDo3wn013046;
	Mon, 30 Sep 2002 06:50:03 -0700 (PDT)
Date: Mon, 30 Sep 2002 06:50:03 -0700 (PDT)
Message-Id: <200209301350.g8UDo3wn013046@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Maxim Konovalov <maxim@macomnet.ru>
Subject: Re: kern/35887
Reply-To: Maxim Konovalov <maxim@macomnet.ru>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR kern/35887; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/35887
Date: Mon, 30 Sep 2002 17:42:59 +0400 (MSD)

 There are two unrelated problems. First, limit rules just do not work
 for longlive connections (more than net.inet.ip.fw.dyn_ack_lifetime
 seconds). A keepalive mechanism in ipfw2 solves the problem.
 
 Second, ipfw1 incorrectly spams a kernel log. You can try a patch
 below. Again, ipfw2 does not have this bug.
 
 Index: ip_fw.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
 retrieving revision 1.188
 diff -u -r1.188 ip_fw.c
 --- ip_fw.c	22 Jun 2002 11:51:02 -0000	1.188
 +++ ip_fw.c	27 Sep 2002 12:06:35 -0000
 @@ -724,11 +724,11 @@
  	    if (zap)
  		zap = force || TIME_LEQ( q->expire , time_second );
  	    /* do not zap parent in first pass, record we need a second pass */
 -	    if (q->dyn_type == DYN_LIMIT_PARENT) {
 +	    if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
  		max_pass = 1; /* we need a second pass */
 -		if (zap == 1 && (pass == 0 || q->count != 0) ) {
 +		if (pass == 0 || q->count != 0) {
  		    zap = 0 ;
 -		    if (pass == 1) /* should not happen */
 +		    if (pass == 1 && force) /* should not happen */
  			printf("OUCH! cannot remove rule, count %d\n",
  				q->count);
  		}
 
 %%%
 
 But I suggest to switch to ipfw2 instead. Instructions are there:
 
 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=805262+0+archive/2002/cvs-all/20020728.cvs-all
 
 -- 
 Maxim Konovalov, MAcomnet, Internet Dept., system engineer
 phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message