From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 3 16:56:21 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13E9D16A4CE; Tue, 3 Aug 2004 16:56:21 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8CC243D45; Tue, 3 Aug 2004 16:56:20 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) by internet.potentialtech.com (Postfix) with ESMTP id B47E869A71; Tue, 3 Aug 2004 12:56:19 -0400 (EDT) Date: Tue, 3 Aug 2004 12:56:17 -0400 From: Bill Moran To: Mark Message-Id: <20040803125617.06d9d0bd.wmoran@potentialtech.com> In-Reply-To: <200408031633.I73GXIBP038908@asarian-host.net> References: <20040803105731.197c7cd0.wmoran@potentialtech.com> <200408031601.I73G1NQE037756@asarian-host.net> <200408031633.I73GXIBP038908@asarian-host.net> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 04 Aug 2004 12:29:08 +0000 cc: freebsd-hackers@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: One OR MORE of source and destination addresses? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 16:56:21 -0000 Mark wrote: > Mark wrote: > > > Bill Moran wrote: > > > >> How about using skipto instead of allow? Thus, if it passes the > >> first one, it can just skipto the next rule to be checked. i.e.: > >> > >> ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 > >> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 > >> > >> Thus, if rule 11 pases, it skips to rule 12. If it fails, it should > >> reject as always. The end result is that a packet _must_ pass both > >> rules to be allowed. > > > > I spoke too soon. :( It seems this sort of rules evokes a bug: > > > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html > > > > My whole console is flooded with messages like these: > > > > "ipfw: install_state: entry already present, done" > > > > Is there a known patch? > > I just took a look at the code: > > if (q != NULL) { /* should never occur */ > if (last_log != time_second) { > last_log = time_second; > printf("ipfw: install_state: entry already present, done\n"); > } > return 0; > } > > What if I just hack the "printf ..." line out of there? Would that 'solve' > it? I know it's dirty; but would things still work? Theoretically, yes (note that I'm certainly no expert on this chunk of code) My reason for saying yes is: 1) The error seems to be that IPFW is trying to add the same stateful rule twice ... which means it _did_ get successfully added once. 2) When that condition occurs, the function returns 0. The comment at the top of the file states that the function returns 1 on failure, so it would appear that this condition is still considered successful. -- Bill Moran Potential Technologies http://www.potentialtech.com