Bug 20448
| Summary: | expired dynamic rules shown in "ipfw get" output | ||
|---|---|---|---|
| Product: | Base System | Reporter: | roland+freebsd <roland+freebsd> |
| Component: | kern | Assignee: | Luigi Rizzo <luigi> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
On Sun, Aug 06, 2000 at 04:54:43PM -0700, roland+freebsd@frob.com wrote: > >Fix: > I made the following change to sys/netinet/ip_fw.c, which simply > does the expired-rule collection procedure before walking the hash > table for an IP_FW_GET request. It looks like the current version > of ip_fw.c has not changed this part of the code, so this change should still apply. [....] > > diff -ubp /sys/netinet/ip_fw.c.~1~ /sys/netinet/ip_fw.c > --- /sys/netinet/ip_fw.c.~1~ Sun Aug 6 16:50:28 2000 > +++ /sys/netinet/ip_fw.c Sun Aug 6 16:50:28 2000 > @@ -1720,6 +1720,7 @@ ip_fw_ctl(struct sockopt *sopt) > int i ; > struct ipfw_dyn_rule *p ; > > + remove_dyn_rule(NULL, 0 /* expire */); > for (i = 0 ; i < curr_dyn_buckets ; i++ ) > for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next ) > size += sizeof(*p) ; > I believe this has to be called at splnet(). -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org > I believe this has to be called at splnet().
I'll buy that. But it seems to me that the walks of the hash table that go
on there ought perhaps to be done at splnet too. Though I guess in
practice lower levels only read and never mutate the list structure.
Responsible Changed From-To: freebsd-bugs->luigi Luigi, this one looks a lot like kern/20201. Could you take a look, though? State Changed From-To: open->closed Joe committed code to ipfw.c to disable showing these rules unless specifically requested. |
IP firewall dynamic rules have expiration times, but these times are only checked when a hash lookup happens to walk over an expired rule, or when the entire rule table is full and must be cleaned up to make space for a new rule. This is not a problem in practice, but it makes for extraneous (and perhaps confusing) output in "ipfw get", since expired dynamic rules are listed with a timeout value of 0--in fact indicating that the rules have already expired and will have no effect on future packet classification. Fix: I made the following change to sys/netinet/ip_fw.c, which simply does the expired-rule collection procedure before walking the hash table for an IP_FW_GET request. It looks like the current version of ip_fw.c has not changed this part of the code, so this change should still apply. It would be perhaps better to modify remove_dyn_rule to do the rule count during its walk (rather than do two walks here), but this was the minimal code change. + remove_dyn_rule(NULL, 0 /* expire */); for (i = 0 ; i < curr_dyn_buckets ; i++ ) for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next ) size += sizeof(*p) ;--ifdDcc9tybiK3gHMeDff9HbtXZ5Cr64uLrpLqcfUAIM0p9Oq Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" diff -ubp /sys/netinet/ip_fw.c.~1~ /sys/netinet/ip_fw.c --- /sys/netinet/ip_fw.c.~1~ Sun Aug 6 16:50:28 2000 +++ /sys/netinet/ip_fw.c Sun Aug 6 16:50:28 2000 @@ -1720,6 +1720,7 @@ ip_fw_ctl(struct sockopt *sopt) int i ; struct ipfw_dyn_rule *p ; How-To-Repeat: Use ipfw dynamic rules (keep-state). Invoke such a rule. Note its presence in "ipfw get". Wait for the rule to time out. Again do "ipfw get" and note the continued presence of the expired rule.