From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 18:49:59 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DA5A16A4AB for ; Wed, 13 Sep 2006 18:49:59 +0000 (UTC) (envelope-from j_guojun@lbl.gov) Received: from smtp101.sbc.mail.mud.yahoo.com (smtp101.sbc.mail.mud.yahoo.com [68.142.198.200]) by mx1.FreeBSD.org (Postfix) with SMTP id B7C4243D55 for ; Wed, 13 Sep 2006 18:49:58 +0000 (GMT) (envelope-from j_guojun@lbl.gov) Received: (qmail 60540 invoked from network); 13 Sep 2006 18:49:55 -0000 Received: from unknown (HELO ?192.168.2.8?) (jinmtb@sbcglobal.net@68.127.178.237 with plain) by smtp101.sbc.mail.mud.yahoo.com with SMTP; 13 Sep 2006 18:49:54 -0000 Message-ID: <45085369.50601@lbl.gov> Date: Wed, 13 Sep 2006 11:52:25 -0700 From: "Jin Guojun [VFFS]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050108 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: Freddie Cash References: <4507539A.5000502@lbl.gov> <60562.24.71.118.34.1158120454.squirrel@webmail.sd73.bc.ca> In-Reply-To: <60562.24.71.118.34.1158120454.squirrel@webmail.sd73.bc.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 18:49:59 -0000 Freddie Cash wrote: >On Tue, September 12, 2006 5:40 pm, Jin Guojun [VFFS] wrote: > > >>I am not sure if this is a bug or is there some limitation for total >>deny entry, when the deny list exceeds a certain length (36 lines at >>this case), ipfw stop working (see the *** line below). >> >>This is on 6.1-R i386 platform. >>Is there know problem on this issue? or Did I made some mistake? >> >>Please CC to me since I am not on the list. >> >> > >Works fine here, with 62 deny rules out of 533 rules in total. While >not every deny rule has a matched packet so far, the rules under them >all work fine. > >FreeBSD 6.1-p6, i386 (P2 333 MHz box). >---- >Freddie Cash >fcash@ocis.net > > I tested a slightly different way on a different machine with 6.1-R, it did not have the problem. So, this can be sure not a limitation problem. This is why I wonder if this is a known bug that is triggered by a certain ipfw add command pattern somehow. I will do some investigation further to see if this will be repeatable under some circumstance. -Jin