Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 May 2012 10:49:20 +0400
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        Daniel Kalchev <daniel@digsys.bg>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW tables trouble
Message-ID:  <4FB49F70.2000209@FreeBSD.org>
In-Reply-To: <4FB39865.50806@digsys.bg>
References:  <4FB39865.50806@digsys.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16.05.2012 16:07, Daniel Kalchev wrote:
> Hello,
>
> I am having an persistent problem when using tables with ipfw. On a
> number of routers, built with various FreeBSD versions, with ipfw as
> loadable module or statically compiled, the problem remains the same.

>
>  From time to time, ipfw spews errors like this:
>
> Non-unique normal route, mask not entered
> Non-unique normal route, mask not entered
>
> or
>
> rn_delete: couldn't find our annotation
> rn_delete: couldn't find our annotation
> rn_delete: couldn't find our annotation

It seems that under some conditions mask is passed incorrectly to radix 
code. Wrong mask can be generated by ipfw module if userland passes 
value larger that 32. What is funny that kernel still doesn't check mask 
value in case of IPv4.

Can you update your 9-stable, add something like the following:

Index: sys/netinet/ipfw/ip_fw_table.c
===================================================================
--- sys/netinet/ipfw/ip_fw_table.c      (revision 235530)
+++ sys/netinet/ipfw/ip_fw_table.c      (working copy)
@@ -153,6 +153,8 @@ ipfw_add_table_entry(struct ip_fw_chain *ch, uint1
         case IPFW_TABLE_CIDR:
                 if (plen == sizeof(in_addr_t)) {
  #ifdef INET
+                       if (mlen > 32)
+                               return (EINVAL);
                         ent = malloc(sizeof(*ent), M_IPFW_TBL, M_WAITOK 
| M_ZERO);
                         ent->value = value;
                         /* Set 'total' structure length */

and see if this helps?

The same idea applies to 7/8, hence the code is still different.


>
> Sometimes, after such output, if one does:
>
> ipfw table 1 flush
> ipfw table 1 list
>
> the output is non-empty. It should be empty, right?

Can you show an examples for such output ?

How often does this happen ?

>

> This problem has troubled me for a number of years already.
>
> Thanks in advance,
> Daniel
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FB49F70.2000209>