Date: Mon, 28 Jul 2008 18:28:17 -0700 (PDT) From: "Ronald F.Guilmette" <rfg@tristatelogic.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: misc/126060: IPFW limit checking in nightly security scripts slightly botched Message-ID: <20080729012817.DEA991142D@segfault.tristatelogic.com> Resent-Message-ID: <200807290130.m6T1U60M060888@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 126060
>Category: misc
>Synopsis: IPFW limit checking in nightly security scripts slightly botched
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 29 01:30:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Ronald F. Guilmette
>Release: FreeBSD 6.3-RELEASE i386
>Organization:
Infinite Monkeys & Co. LLC
>Environment:
System: FreeBSD xxxxxxx.tristatelogic.com 6.3-RELEASE
>Description:
The following two scripts fail to correctly interpret sysctl IPFW
logging limits of "0" (i.e. "no limit") for IPv4 and IPv6 respectively:
/etc/periodic/security/550.ipfwlimit
/etc/periodic/security/650.ip6fwlimit
>How-To-Repeat:
Run the scripts noted above, or just wait for them to run automagically
at 3AM.
>Fix:
Trivial/obvious patches included below. *** WARNING *** Somebody
please check these for correct awk syntax. I don't do very much awk,
so I may have botched the fixes here. But I think I got them right.
*** etc/periodic/security/550.ipfwlimit- Tue Jan 15 16:33:31 2008
--- etc/periodic/security/550.ipfwlimit Mon Jul 28 18:04:08 2008
***************
*** 55,59 ****
{print $0}
} else {
! if ($2 > limit)
{print $0}}
}' > ${TMP}
--- 55,59 ----
{print $0}
} else {
! if ($2 > limit && limit != 0)
{print $0}}
}' > ${TMP}
*** etc/periodic/security/650.ip6fwlimit- Tue Jan 15 16:33:31 2008
--- etc/periodic/security/650.ip6fwlimit Mon Jul 28 18:07:26 2008
***************
*** 49,53 ****
grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
awk -v limit="$IPFW_LOG_LIMIT" \
! '{if ($2 > limit) {print $0}}' > ${TMP}
if [ -s "${TMP}" ]; then
rc=1
--- 49,53 ----
grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
awk -v limit="$IPFW_LOG_LIMIT" \
! '{if ($2 > limit && limit != 0) {print $0}}' > ${TMP}
if [ -s "${TMP}" ]; then
rc=1
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080729012817.DEA991142D>