Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Oct 2000 14:31:50 -0400
From:      Bill Fumerola <billf@chimesnet.com>
To:        Jun Kuriyama <kuriyama@imgsrc.co.jp>
Cc:        Current <FreeBSD-current@FreeBSD.org>
Subject:   Re: Fragments refused by ipfw
Message-ID:  <20001012143150.C37870@jade.chc-chimes.com>
In-Reply-To: <7mzokajzvo.wl@waterblue.imgsrc.co.jp>; from kuriyama@imgsrc.co.jp on Thu, Oct 12, 2000 at 04:13:31PM %2B0900
References:  <7mzokajzvo.wl@waterblue.imgsrc.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Oct 12, 2000 at 04:13:31PM +0900, Jun Kuriyama wrote:

> Host A is my desktop box (-current), host B is NFS server (3-stable).
> Sometimes (at heavy load on NFS?), my access to NFS server is locked.
> At that time, following messages are logged.
> 
> ipfw: -1 Refuse UDP hostB hostA in via fxp0 Fragment = 925
> 
> I used ipfw with default accept but no rules.  I have not seen such
> message before.

To be perfectly honest I don't see what code path could cause this, if
it hits the default rule we jump out of ipfw right away:


        for (; chain; chain = LIST_NEXT(chain, chain)) {
again:
                f = chain->rule;
                if (f->fw_number == IPFW_DEFAULT_RULE)
                    goto got_match ;
[...]
got_match:
#if STATEFUL   /* stateful ipfw */
                /*
                 * If not a dynamic match (q == NULL) and keep-state, install
                 * a new dynamic entry.
                 */
                if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S)
                    install_state(chain);
#endif
                *flow_id = chain ; /* XXX set flow id */
                /* Update statistics */
                f->fw_pcnt += 1;
                f->fw_bcnt += ip->ip_len;
                f->timestamp = time_second;

                /* Log to console if desired */
                if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
                        ipfw_report(f, ip, rif, oif);

                /* Take appropriate action */
                switch (f->fw_flg & IP_FW_F_COMMAND) {
                case IP_FW_F_ACCEPT:
                        return(0);

That's the entire codepath of a default rule hit. The message you're
seeing is from ipfw_report(), which shouldn't be called from the
default rule match either.

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001012143150.C37870>