From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 27 01:19:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CACBC16A4CF for ; Tue, 27 Apr 2004 01:19:04 -0700 (PDT) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08ABE43D67 for ; Tue, 27 Apr 2004 01:19:04 -0700 (PDT) (envelope-from oleg@rinet.ru) Received: from lath.rinet.ru (localhost [127.0.0.1]) by lath.rinet.ru (8.12.11/8.12.11) with ESMTP id i3R8J2Bl046552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Apr 2004 12:19:02 +0400 (MSD) (envelope-from oleg@rinet.ru) Received: from localhost (oleg@localhost)i3R8J2pY046549; Tue, 27 Apr 2004 12:19:02 +0400 (MSD) (envelope-from oleg@rinet.ru) Date: Tue, 27 Apr 2004 12:19:02 +0400 (MSD) From: Oleg Bulyzhin To: ipfw@freebsd.org Message-ID: <20040427113659.J44815@lath.rinet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: noc@rinet.ru Subject: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 08:19:04 -0000 Hi! install_state() (in ip_fw2.c/RELENG_4) has following code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf("ipfw: install_state: entry already present, done \n"); } return 0; } (similar code is in ip_fw.c and in CURRENT) You can get such messages using this rules: ipfw add 10 skipto 20 tcp from any to any setup keep-state ipfw add 20 allow tcp from any to any setup keep-state This example is quite useless but there are _valid_ situations when you get your logs spammed with this error. For example i want to pass tcp connections to limited set of destination hosts and total number of client's tcp sessions should be limited. Ruleset might be like this (10.0.0.0/24 - client's network): 10 check-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.1 setup keep-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.2 setup keep-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.3 setup keep-state 50 reset tcp from 10.0.0.0/24 to any 100 allow tcp from 10.0.0.0/24 to any setup limit src-addr 16 as result you will get the error for every client's tcp SYN packet to the allowed host (well, highest rate possible is 1 message/sec). I think install_state() should store cmd->o.opcode in static variable and error message should be printed only if current opcode or previous opcode equal to O_KEEP_STATE (cause chained keep-state rules are useless but, i think, chained limit rules may be useful). Any comments? -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================