Date: Wed, 10 Jul 2002 06:25:19 -0400 From: Dan Pelleg <daniel+bsd@pelleg.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <15660.2959.142937.827544@gargle.gargle.HOWL> In-Reply-To: <20020709221347.A91104@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <u2sy9ckpbo1.fsf@gs166.sp.cs.cmu.edu> <20020709221347.A91104@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo writes: > Hi Dan, > thanks for the report: > > > I've only used it briefly. For now it looks ok, with the following observations: > > > > 1) the "icmptype" option doesn't seem to be supported > > the manpage lists "icmptypes" (plural) as the option keyword, > though it is true that the previous code allowed abbreviations > (but those could be ambiguous). I am not sure whether or > not it is the case to fix it -- for sure i can add "icmptype" > as an alias for "icmptypes" > I see. While both choices are reasonable, this change has the potential of causing a lot of grief to people who find their rulesets altered. If we're dropping abbreviations, maybe it's a good idea to provide a search-and-replace script to convert existing rule scripts. Maybe even offer it as part of mergemaster (if that's at all possible - I don't know). > > 3) I'm getting lots of "/kernel: install_state: entry already present, > > done" (related to (2)?). > > this one i cannot reproduce, do you have a small ruleset and > input example to send me so i can try and reproduce the problem ? > That's easy: sh /etc/rc.firewall closed ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40 ipfw add 600 pass udp from me to any keep-state limit src-addr dst-port 40 Now just fire up Mozilla (which opens lots of connections in rapid succession) and watch the logs. I have another bug to report. The following causes a segfault on a DUMMYNET-less machine: ipfw queue 1 config pipe 10 weight 100 mask src-ip 0xffffffff note that if you drop the mask speficier, then it just tells you: ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol not available as it should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15660.2959.142937.827544>