From owner-freebsd-stable Wed Oct 23 2:37:47 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD6CA37B401 for ; Wed, 23 Oct 2002 02:37:44 -0700 (PDT) Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7563743E9C for ; Wed, 23 Oct 2002 02:37:43 -0700 (PDT) (envelope-from maxim@macomnet.ru) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.6/8.11.6) with ESMTP id g9N9bc52022153; Wed, 23 Oct 2002 13:37:39 +0400 (MSD) Date: Wed, 23 Oct 2002 13:37:38 +0400 (MSD) From: Maxim Konovalov To: Eugene Grosbein Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch In-Reply-To: <3DB60570.C75F91EA@kuzbass.ru> Message-ID: <20021023133644.T22644-100000@news1.macomnet.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 06:12+0400, Oct 23, 2002, Eugene Grosbein wrote: > Maxim Konovalov wrote: > > > > > A patch below fixes an incorrect logic in remove_dyn_rule() which > > > > produces that famous message "OUCH! cannot remove rule..". The second > > > > part of the patch limits "drop session" message rate. > > > > > > I'd like to not have "drop session" written to console altogether. > > > At most, that should go to syslog but an opportunity to eliminate it > > > would be nice. > > > > That code is from ipfw2, please discuss this issue with Luigi. > > I'd suggest using log() instead of printf() in ipfw[2]. Does it suit you? Index: sys/netinet/ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.35 diff -u -r1.131.2.35 ip_fw.c --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35 +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000 @@ -696,11 +696,11 @@ if (zap) zap = force || TIME_LEQ( q->expire , time_second ); /* do not zap parent in first pass, record we need a second pass */ - if (q->dyn_type == DYN_LIMIT_PARENT) { + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { max_pass = 1; /* we need a second pass */ - if (zap == 1 && (pass == 0 || q->count != 0) ) { + if (pass == 0 || q->count != 0) { zap = 0 ; - if (pass == 1) /* should not happen */ + if (pass == 1 && force) /* should not happen */ printf("OUCH! cannot remove rule, count %d\n", q->count); } @@ -987,8 +987,21 @@ } if (parent->count >= conn_limit) { EXPIRE_DYN_CHAIN(rule); /* try to expire some */ + /* + * The expiry might have removed the parent too. + * We lookup again, which will re-create if necessary. + */ + parent = lookup_dyn_parent(&id, rule); + if (parent == NULL) { + printf("add parent failed\n"); + return 1; + } if (parent->count >= conn_limit) { - printf("drop session, too many entries\n"); + if (fw_verbose && last_log != time_second) { + last_log = time_second; + log(LOG_SECURITY | LOG_INFO, + "drop session, too many entries\n"); + } return 1; } } %%% -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message