Date: Wed, 23 Oct 2002 13:37:38 +0400 (MSD) From: Maxim Konovalov <maxim@macomnet.ru> To: Eugene Grosbein <eugen@kuzbass.ru> Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch Message-ID: <20021023133644.T22644-100000@news1.macomnet.ru> In-Reply-To: <3DB60570.C75F91EA@kuzbass.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06:12+0400, Oct 23, 2002, Eugene Grosbein wrote:
> Maxim Konovalov wrote:
>
> > > > A patch below fixes an incorrect logic in remove_dyn_rule() which
> > > > produces that famous message "OUCH! cannot remove rule..". The second
> > > > part of the patch limits "drop session" message rate.
> > >
> > > I'd like to not have "drop session" written to console altogether.
> > > At most, that should go to syslog but an opportunity to eliminate it
> > > would be nice.
> >
> > That code is from ipfw2, please discuss this issue with Luigi.
>
> I'd suggest using log() instead of printf() in ipfw[2].
Does it suit you?
Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.35
diff -u -r1.131.2.35 ip_fw.c
--- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35
+++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000
@@ -696,11 +696,11 @@
if (zap)
zap = force || TIME_LEQ( q->expire , time_second );
/* do not zap parent in first pass, record we need a second pass */
- if (q->dyn_type == DYN_LIMIT_PARENT) {
+ if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
max_pass = 1; /* we need a second pass */
- if (zap == 1 && (pass == 0 || q->count != 0) ) {
+ if (pass == 0 || q->count != 0) {
zap = 0 ;
- if (pass == 1) /* should not happen */
+ if (pass == 1 && force) /* should not happen */
printf("OUCH! cannot remove rule, count %d\n",
q->count);
}
@@ -987,8 +987,21 @@
}
if (parent->count >= conn_limit) {
EXPIRE_DYN_CHAIN(rule); /* try to expire some */
+ /*
+ * The expiry might have removed the parent too.
+ * We lookup again, which will re-create if necessary.
+ */
+ parent = lookup_dyn_parent(&id, rule);
+ if (parent == NULL) {
+ printf("add parent failed\n");
+ return 1;
+ }
if (parent->count >= conn_limit) {
- printf("drop session, too many entries\n");
+ if (fw_verbose && last_log != time_second) {
+ last_log = time_second;
+ log(LOG_SECURITY | LOG_INFO,
+ "drop session, too many entries\n");
+ }
return 1;
}
}
%%%
--
Maxim Konovalov, MAcomnet, Internet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021023133644.T22644-100000>