From owner-freebsd-current@FreeBSD.ORG  Tue Aug 17 06:05:57 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 71A7716A4CE
	for <freebsd-current@freebsd.org>;
	Tue, 17 Aug 2004 06:05:57 +0000 (GMT)
Received: from mail.parodius.com (mail.parodius.com [64.62.145.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 506BE43D5F
	for <freebsd-current@freebsd.org>;
	Tue, 17 Aug 2004 06:05:57 +0000 (GMT)
	(envelope-from jdc@pentarou.parodius.com)
Received: from pentarou.parodius.com (jdc@localhost [127.0.0.1])
	by mail.parodius.com (8.12.11/8.12.11) with ESMTP id i7H65uaA007856
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-current@freebsd.org>;
	Mon, 16 Aug 2004 23:05:56 -0700 (PDT)
	(envelope-from jdc@pentarou.parodius.com)
Received: (from jdc@localhost)
	by pentarou.parodius.com (8.12.11/8.12.11/Submit) id i7H65u7E007855
	for freebsd-current@freebsd.org; Mon, 16 Aug 2004 23:05:56 -0700 (PDT)
	(envelope-from jdc)
Date: Mon, 16 Aug 2004 23:05:56 -0700
From: Jeremy Chadwick <freebsd@jdc.parodius.com>
To: freebsd-current@freebsd.org
Message-ID: <20040817060556.GA7458@parodius.com>
Mail-Followup-To: freebsd-current@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
Subject: ipfw2 net.inet.ip.fw.verbose_limit broken
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2004 06:05:57 -0000

Just wanted to toss this one up here.  Also, apologies for not
cross-posting this to freebsd-ipfw, but I'm not on the list; although
they seem to be aware of it:

http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-July/001239.html

Seems that ipfw2's support for net.inet.ip.fw.verbose_limit is, to
put it bluntly, broken.  This applies to both -STABLE and -CURRENT.
The following PR has been sitting around for quite some time...

http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/46080

I've managed to confirm this still exists even as of an August 5th build
of -CURRENT.  Using `logamount' directives per rule works properly as
a workaround.

I've also looked at the patch, although I'm not sure about the performance
implications of looking up a sysctl value per packet with a matching
ipfw2 `log' directive.

The ipfw2 code isn't something I feel even remotely comfortable tinkering
with, so if someone could take a poke at this (or contact the correct
people), that'd be great.

Thanks!

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |