Date: 26 Feb 2003 22:42:54 -0000 From: Alex Popa <razor@ldc.ro> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/48717: ipfw2 probability is wrong Message-ID: <20030226224254.69475.qmail@ldc.ro>
next in thread | raw e-mail | index | archive | help
>Number: 48717 >Category: kern >Synopsis: ipfw2 probability is wrong >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 26 14:50:06 PST 2003 >Closed-Date: >Last-Modified: >Originator: Alex Popa >Release: FreeBSD 4.8-PRERELEASE i386 >Organization: >Environment: System: FreeBSD ric.interactive.ro 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #0: Wed Feb 19 23:21:16 EET 2003 root@ric.interactive.ro:/usr/obj/usr/src/sys/RIC i386 >Description: ipfw2 uses an inverted probability while trying to match rules. It seems this behaviour is wrongly inherited from ipfw1. The ipfw1 userland program uses "1-d" for the probability calculation, and the kernel uses "random() < f->dont_match_prob" as a condition to *NOT* matching the packet. However, the ipfw2 kernel part uses a very similar condition for *matching* the packet. >How-To-Repeat: Use a simple firewall, like this (note only on a test machine!): ipfw add 1 drop prob 0.99 ip from any to any out ipfw add 2 permit all from any to any Then ping some host on the local network. Instead of a 99% loss rate, you get a 1% loss. >Fix: Apply the following patch to /usr/src/sys/netinet/ip_fw2.c: --- ip_fw2.c.orig Thu Feb 27 00:29:33 2003 +++ ip_fw2.c Thu Feb 27 00:29:58 2003 @@ -1747,7 +1747,7 @@ break; case O_PROB: - match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); + match = !(random()<((ipfw_insn_u32 *)cmd)->d[0]); break; /* >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030226224254.69475.qmail>