Date: Sun, 6 Aug 2000 16:54:43 -0700 (PDT) From: roland+freebsd@frob.com To: freebsd-gnats-submit@FreeBSD.org Subject: kern/20448: expired dynamic rules shown in "ipfw get" output Message-ID: <20000806235443.7597337BC6F@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 20448
>Category: kern
>Synopsis: expired dynamic rules shown in "ipfw get" output
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Aug 06 17:00:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Roland McGrath
>Release: 4.0-20000706-STABLE
>Organization:
>Environment:
FreeBSD gateway.sf.frob.com 4.0-20000706-STABLE FreeBSD 4.0-20000706-STABLE #4:\
Sun Aug 6 16:22:24 PDT 2000 roland@gateway.sf.frob.com:/usr/src/sys/compi\
le/FIREWALL i386
>Description:
IP firewall dynamic rules have expiration times, but these times are
only checked when a hash lookup happens to walk over an expired rule,
or when the entire rule table is full and must be cleaned up to make
space for a new rule. This is not a problem in practice, but it makes
for extraneous (and perhaps confusing) output in "ipfw get", since
expired dynamic rules are listed with a timeout value of 0--in fact
indicating that the rules have already expired and will have no effect
on future packet classification.
>How-To-Repeat:
Use ipfw dynamic rules (keep-state). Invoke such a rule.
Note its presence in "ipfw get". Wait for the rule to time out.
Again do "ipfw get" and note the continued presence of the expired
rule.
>Fix:
I made the following change to sys/netinet/ip_fw.c, which simply
does the expired-rule collection procedure before walking the hash
table for an IP_FW_GET request. It looks like the current version
of ip_fw.c has not changed this part of the code, so this change should still apply. It would be perhaps better to modify remove_dyn_rule
to do the rule count during its walk (rather than do two walks here),
but this was the minimal code change.
diff -ubp /sys/netinet/ip_fw.c.~1~ /sys/netinet/ip_fw.c
--- /sys/netinet/ip_fw.c.~1~ Sun Aug 6 16:50:28 2000
+++ /sys/netinet/ip_fw.c Sun Aug 6 16:50:28 2000
@@ -1720,6 +1720,7 @@ ip_fw_ctl(struct sockopt *sopt)
int i ;
struct ipfw_dyn_rule *p ;
+ remove_dyn_rule(NULL, 0 /* expire */);
for (i = 0 ; i < curr_dyn_buckets ; i++ )
for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next )
size += sizeof(*p) ;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000806235443.7597337BC6F>