Re: Call for testers: ipfw(8) limit patch

Wed, 23 Oct 2002 02:10:58 -0700 

On 06:12+0400, Oct 23, 2002, Eugene Grosbein wrote:

> Maxim Konovalov wrote:
>
> > > > A patch below fixes an incorrect logic in remove_dyn_rule() which
> > > > produces that famous message "OUCH! cannot remove rule..". The second
> > > > part of the patch limits "drop session" message rate.
> > >
> > > I'd like to not have "drop session" written to console altogether.
> > > At most, that should go to syslog but an opportunity to eliminate it
> > > would be nice.
> >
> > That code is from ipfw2, please discuss this issue with Luigi.
>
> I'd suggest using log() instead of printf() in ipfw[2].

Does it suit you?

Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.35
diff -u -r1.131.2.35 ip_fw.c
--- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000      1.131.2.35
+++ sys/netinet/ip_fw.c 23 Oct 2002 09:35:54 -0000
@@ -696,11 +696,11 @@
            if (zap)
                zap = force || TIME_LEQ( q->expire , time_second );
            /* do not zap parent in first pass, record we need a second pass */
-           if (q->dyn_type == DYN_LIMIT_PARENT) {
+           if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
                max_pass = 1; /* we need a second pass */
-               if (zap == 1 && (pass == 0 || q->count != 0) ) {
+               if (pass == 0 || q->count != 0) {
                    zap = 0 ;
-                   if (pass == 1) /* should not happen */
+                   if (pass == 1 && force) /* should not happen */
                        printf("OUCH! cannot remove rule, count %d\n",
                                q->count);
                }
@@ -987,8 +987,21 @@
        }
        if (parent->count >= conn_limit) {
            EXPIRE_DYN_CHAIN(rule); /* try to expire some */
+           /*
+            * The expiry might have removed the parent too.
+            * We lookup again, which will re-create if necessary.
+            */
+           parent = lookup_dyn_parent(&id, rule);
+           if (parent == NULL) {
+               printf("add parent failed\n");
+               return 1;
+           }
            if (parent->count >= conn_limit) {
-               printf("drop session, too many entries\n");
+               if (fw_verbose && last_log != time_second) {
+                       last_log = time_second;
+                       log(LOG_SECURITY | LOG_INFO,
+                           "drop session, too many entries\n");
+               }
                return 1;
            }
        }

%%%

-- 
Maxim Konovalov, MAcomnet, Internet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@;macomnet.ru



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Reply via email to