From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 3 16:33:21 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1170716A4CE for ; Tue, 3 Aug 2004 16:33:21 +0000 (GMT) Received: from mail.asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47F4943D5A for ; Tue, 3 Aug 2004 16:33:20 +0000 (GMT) SRS0=So2F/K8/=KZ=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.13.0/8.13.0) id i73GXJPs038927 for freebsd-hackers@freebsd.org; Tue, 3 Aug 2004 18:33:19 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200408031633.I73GXIBP038908@asarian-host.net> Date: Tue, 03 Aug 2004 16:33:19 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: EpsMQW+UNNsJVUpbw29xRt0NxGGTPXUbDtnoQfyNKjIpN88EBaSGCA3CYuO22Jud/JB9IiCU8wAaFvQqkj/3hw== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: <20040803105731.197c7cd0.wmoran@potentialtech.com> <200408031601.I73G1NQE037756@asarian-host.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Auth: Asarian-host PGP signature iQEVAwUAQQ++TzFqW1BleBN9AQFxHwf/fa6ZELImVdGHxTZ9AQoVpwb/k1OdsI6c CyT5JHYjSVqq47Mylw3rwQiq/iLx5TI+XZA0n06ko+1NEfu2sDOCQgGt4rteuCK7 P5Feo4tbbpRyGiV1uhgwHf6TWHITVKpYu2M5IqCZFNQpKtjuGqtO2COJiNXnFBK+ Q8YlSs1nJh2Wll83ED4Rs1lHN7ksRtyXnI4pkiIc2ZJsqToId7Bu5xcDYV12KONj lR7O6+klmvljFd0HNw0bZSbTrg2HYX2/i9LrmZFLC7m4Gjkq8tFCHsLIBG3P5Chq Vyr1kpXru52gSve6eP2SLq0ERnmtyjLkesJVEiDvB8GdKMtbYIvAvw== =5ids cc: freebsd-hackers@freebsd.org Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 16:33:21 -0000 Mark wrote: > Bill Moran wrote: > >> How about using skipto instead of allow? Thus, if it passes the >> first one, it can just skipto the next rule to be checked. i.e.: >> >> ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 >> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 >> >> Thus, if rule 11 pases, it skips to rule 12. If it fails, it should >> reject as always. The end result is that a packet _must_ pass both >> rules to be allowed. > > I spoke too soon. :( It seems this sort of rules evokes a bug: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html > > My whole console is flooded with messages like these: > > "ipfw: install_state: entry already present, done" > > Is there a known patch? I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf("ipfw: install_state: entry already present, done\n"); } return 0; } What if I just hack the "printf ..." line out of there? Would that 'solve' it? I know it's dirty; but would things still work? Thanks, - Mark