Date: Sat, 17 Nov 2001 10:46:16 -0500 From: Dan Pelleg <peldan@yahoo.com> To: FreeBSD Stable Issues <FreeBSD-stable@FreeBSD.ORG> Subject: Re: ipfw dynamic rules Message-ID: <15350.34376.518812.755301@palraz.wburn> References: <20011116204240.J70341-100000@shumai.marcuscom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Joe Clarke <marcus@marcuscom.com> writes: > On Fri, 16 Nov 2001, Ilya wrote: > > > Since upgrade to stable, when i do ipfw show i dont see dynamic rules > > anymore, however the counter againts the parent rule is increasing. > > what changed? is there list of changes? how can i make surte it creates > > rules properly? > > ipfw won't show dynamic rules unless you call it with -d. The -e flag > will list expired dynamic rules. > > Joe > Actually, there's a subtle issue with ipfw -d and limit rules. The PARENT rules' expire field is generally meaningless. That is, there are situations where a parent with nonzero child count is "expired", and also situations where children which are counted towards the parent's count are expired. This can lead to strange-looking ipfw -d output where you either see LIMIT rules, but not their parent, or else a PARENT rule with a count larger than the number of children listed. The same problem may also cause the "OUCH! cannot remove rule" message to appear (it can probably be ignored). The simple solution seems to be to ignore the expire field altogether for PARENT rules (and the complex one being to maintain it correctly). Unfortunately, I don't have a patch for that yet. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15350.34376.518812.755301>