Date: Wed, 4 Oct 2006 09:41:12 GMT From: Oleg Gawriloff <barzog@telecom.by> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/103967: ipfw2 limit src-addr logging is not sufficient for debug Message-ID: <200610040941.k949fCYM040471@www.freebsd.org> Resent-Message-ID: <200610040950.k949oEfs069092@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 103967 >Category: kern >Synopsis: ipfw2 limit src-addr logging is not sufficient for debug >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Oct 04 09:50:13 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Oleg Gawriloff >Release: 4.11/5.3 >Organization: Atlant Telecom >Environment: FreeBSD martin.telecom.by 4.11-RELEASE-p12 FreeBSD 4.11-RELEASE-p12 #3: Tue Dec 20 09:30:16 EET 2005 root@martin.telecom.by:/usr/obj/usr/src/sys/MARTIN i386 >Description: When ipfw rule ipfw add 20 allow tcp from me to any limit src-addr 2 is in effect kernel log it as Oct 4 12:34:48 martin /kernel: drop session, too many entries which is not sufficient to diagnose problem. At http://cvs.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/StatefulFirewalling located patch which solves this problem (i.e. after patch log entries looks like @drop session 129.97.20.165:1026 -> 129.97.20.200:23, TOO many entries") which is far more preferable than current behaviour. >How-To-Repeat: Just test limit src-addr rule and view log output >Fix: http://www.freebsd.uwaterloo.ca/ip_fw2.patch >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610040941.k949fCYM040471>