From owner-freebsd-stable Sat Nov 17 7:46:35 2001 Delivered-To: freebsd-stable@freebsd.org Received: from palraz.rem.cmu.edu (PALRAZ.REM.CMU.EDU [128.237.161.212]) by hub.freebsd.org (Postfix) with ESMTP id 31D8037B405 for ; Sat, 17 Nov 2001 07:46:30 -0800 (PST) Received: from palraz.wburn (palraz [192.168.1.1]) by palraz.rem.cmu.edu (8.11.6/8.11.4) with ESMTP id fAHFkL312575 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified NO) for ; Sat, 17 Nov 2001 10:46:23 -0500 (EST) (envelope-from dpelleg@palraz.rem.cmu.edu) Received: (from dpelleg@localhost) by palraz.wburn (8.11.6/8.11.6) id fAHFkGv00715; Sat, 17 Nov 2001 10:46:16 -0500 (EST) (envelope-from dpelleg) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15350.34376.518812.755301@palraz.wburn> Date: Sat, 17 Nov 2001 10:46:16 -0500 To: FreeBSD Stable Issues Subject: Re: ipfw dynamic rules X-Mailer: VM 6.92 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg References: <20011116204240.J70341-100000@shumai.marcuscom.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Joe Clarke writes: > On Fri, 16 Nov 2001, Ilya wrote: > > > Since upgrade to stable, when i do ipfw show i dont see dynamic rules > > anymore, however the counter againts the parent rule is increasing. > > what changed? is there list of changes? how can i make surte it creates > > rules properly? > > ipfw won't show dynamic rules unless you call it with -d. The -e flag > will list expired dynamic rules. > > Joe > Actually, there's a subtle issue with ipfw -d and limit rules. The PARENT rules' expire field is generally meaningless. That is, there are situations where a parent with nonzero child count is "expired", and also situations where children which are counted towards the parent's count are expired. This can lead to strange-looking ipfw -d output where you either see LIMIT rules, but not their parent, or else a PARENT rule with a count larger than the number of children listed. The same problem may also cause the "OUCH! cannot remove rule" message to appear (it can probably be ignored). The simple solution seems to be to ignore the expire field altogether for PARENT rules (and the complex one being to maintain it correctly). Unfortunately, I don't have a patch for that yet. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message