From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 29 01:30:07 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2166C1065675 for ; Tue, 29 Jul 2008 01:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F374D8FC18 for ; Tue, 29 Jul 2008 01:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6T1U6Qo060893 for ; Tue, 29 Jul 2008 01:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6T1U60M060888; Tue, 29 Jul 2008 01:30:06 GMT (envelope-from gnats) Resent-Date: Tue, 29 Jul 2008 01:30:06 GMT Resent-Message-Id: <200807290130.m6T1U60M060888@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Ronald F.Guilmette" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6723A1065737 for ; Tue, 29 Jul 2008 01:28:18 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-outgoing-helo.tristatelogic.com (112.171-60-66-fuji-dsl.static.surewest.net [66.60.171.112]) by mx1.freebsd.org (Postfix) with ESMTP id 43CFA8FC12 for ; Tue, 29 Jul 2008 01:28:18 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id DEA991142D; Mon, 28 Jul 2008 18:28:17 -0700 (PDT) Message-Id: <20080729012817.DEA991142D@segfault.tristatelogic.com> Date: Mon, 28 Jul 2008 18:28:17 -0700 (PDT) From: "Ronald F.Guilmette" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: misc/126060: IPFW limit checking in nightly security scripts slightly botched X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Ronald F.Guilmette" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 01:30:07 -0000 >Number: 126060 >Category: misc >Synopsis: IPFW limit checking in nightly security scripts slightly botched >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 29 01:30:06 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Ronald F. Guilmette >Release: FreeBSD 6.3-RELEASE i386 >Organization: Infinite Monkeys & Co. LLC >Environment: System: FreeBSD xxxxxxx.tristatelogic.com 6.3-RELEASE >Description: The following two scripts fail to correctly interpret sysctl IPFW logging limits of "0" (i.e. "no limit") for IPv4 and IPv6 respectively: /etc/periodic/security/550.ipfwlimit /etc/periodic/security/650.ip6fwlimit >How-To-Repeat: Run the scripts noted above, or just wait for them to run automagically at 3AM. >Fix: Trivial/obvious patches included below. *** WARNING *** Somebody please check these for correct awk syntax. I don't do very much awk, so I may have botched the fixes here. But I think I got them right. *** etc/periodic/security/550.ipfwlimit- Tue Jan 15 16:33:31 2008 --- etc/periodic/security/550.ipfwlimit Mon Jul 28 18:04:08 2008 *************** *** 55,59 **** {print $0} } else { ! if ($2 > limit) {print $0}} }' > ${TMP} --- 55,59 ---- {print $0} } else { ! if ($2 > limit && limit != 0) {print $0}} }' > ${TMP} *** etc/periodic/security/650.ip6fwlimit- Tue Jan 15 16:33:31 2008 --- etc/periodic/security/650.ip6fwlimit Mon Jul 28 18:07:26 2008 *************** *** 49,53 **** grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ awk -v limit="$IPFW_LOG_LIMIT" \ ! '{if ($2 > limit) {print $0}}' > ${TMP} if [ -s "${TMP}" ]; then rc=1 --- 49,53 ---- grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ awk -v limit="$IPFW_LOG_LIMIT" \ ! '{if ($2 > limit && limit != 0) {print $0}}' > ${TMP} if [ -s "${TMP}" ]; then rc=1 >Release-Note: >Audit-Trail: >Unformatted: