From owner-freebsd-stable Thu Oct 24 3:19:55 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D71D37B401 for ; Thu, 24 Oct 2002 03:19:53 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2D9943E4A for ; Thu, 24 Oct 2002 03:19:50 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.12.6/8.12.5) with ESMTP id g9OAJcL4001675; Thu, 24 Oct 2002 18:19:42 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <3DB7C92C.20FBA28@kuzbass.ru> Date: Thu, 24 Oct 2002 18:19:24 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.79 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Maxim Konovalov Cc: stable@FreeBSD.ORG Subject: Re: Call for testers: ipfw(8) limit patch References: <20021021174100.Q1221-100000@news1.macomnet.ru> <3DB4F490.57050242@kuzbass.ru> <20021022155420.G59161-100000@news1.macomnet.ru> <3DB60570.C75F91EA@kuzbass.ru> <20021023133644.T22644-100000@news1.macomnet.ru> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > That code is from ipfw2, please discuss this issue with Luigi. > > > > I'd suggest using log() instead of printf() in ipfw[2]. > > Does it suit you? > > Index: sys/netinet/ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.35 > diff -u -r1.131.2.35 ip_fw.c > --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35 > +++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000 > @@ -696,11 +696,11 @@ > if (zap) > zap = force || TIME_LEQ( q->expire , time_second ); > /* do not zap parent in first pass, record we need a second pass */ > - if (q->dyn_type == DYN_LIMIT_PARENT) { > + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { > max_pass = 1; /* we need a second pass */ > - if (zap == 1 && (pass == 0 || q->count != 0) ) { > + if (pass == 0 || q->count != 0) { > zap = 0 ; > - if (pass == 1) /* should not happen */ > + if (pass == 1 && force) /* should not happen */ > printf("OUCH! cannot remove rule, count %d\n", > q->count); > } > @@ -987,8 +987,21 @@ > } > if (parent->count >= conn_limit) { > EXPIRE_DYN_CHAIN(rule); /* try to expire some */ > + /* > + * The expiry might have removed the parent too. > + * We lookup again, which will re-create if necessary. > + */ > + parent = lookup_dyn_parent(&id, rule); > + if (parent == NULL) { > + printf("add parent failed\n"); > + return 1; > + } > if (parent->count >= conn_limit) { > - printf("drop session, too many entries\n"); > + if (fw_verbose && last_log != time_second) { > + last_log = time_second; > + log(LOG_SECURITY | LOG_INFO, > + "drop session, too many entries\n"); > + } > return 1; > } > } > > %%% I've tried this patch. It doesn't flood a console but it floods syslog :-) It would be nice to have opportunity to distinguish messages from 'ipfw log' about packets that violate security policy from messages of this part of code just yelling Hey! ipfw limit is working! Hey! ipfw limit is working! Hey! ipfw limit is working! And so on :-) syslog compresses these messages but seriously, I'd like to have a method to eliminate them when they are useless but keep warnings from 'ipfw log'. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message