Date: Mon, 30 Sep 2002 06:50:03 -0700 (PDT) From: Maxim Konovalov <maxim@macomnet.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/35887 Message-ID: <200209301350.g8UDo3wn013046@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/35887; it has been noted by GNATS. From: Maxim Konovalov <maxim@macomnet.ru> To: bug-followup@freebsd.org Cc: Subject: Re: kern/35887 Date: Mon, 30 Sep 2002 17:42:59 +0400 (MSD) There are two unrelated problems. First, limit rules just do not work for longlive connections (more than net.inet.ip.fw.dyn_ack_lifetime seconds). A keepalive mechanism in ipfw2 solves the problem. Second, ipfw1 incorrectly spams a kernel log. You can try a patch below. Again, ipfw2 does not have this bug. Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.188 diff -u -r1.188 ip_fw.c --- ip_fw.c 22 Jun 2002 11:51:02 -0000 1.188 +++ ip_fw.c 27 Sep 2002 12:06:35 -0000 @@ -724,11 +724,11 @@ if (zap) zap = force || TIME_LEQ( q->expire , time_second ); /* do not zap parent in first pass, record we need a second pass */ - if (q->dyn_type == DYN_LIMIT_PARENT) { + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { max_pass = 1; /* we need a second pass */ - if (zap == 1 && (pass == 0 || q->count != 0) ) { + if (pass == 0 || q->count != 0) { zap = 0 ; - if (pass == 1) /* should not happen */ + if (pass == 1 && force) /* should not happen */ printf("OUCH! cannot remove rule, count %d\n", q->count); } %%% But I suggest to switch to ipfw2 instead. Instructions are there: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=805262+0+archive/2002/cvs-all/20020728.cvs-all -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209301350.g8UDo3wn013046>