Bug 96247 - [patch] 550.ipfwlimit reports logs even if log size is not limited.
Summary: [patch] 550.ipfwlimit reports logs even if log size is not limited.
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 5.5-PRERELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-24 06:10 UTC by TsurutaniNaoki
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description TsurutaniNaoki 2006-04-24 06:10:13 UTC
	report via periodic daily may contain reports about ipfw.
	this report is created by 550.ipfwlimit even if log size is unlimited.

Fix: 

"options IPFIREWALL_VERBOSE_LIMIT=0" in kernel configuration file set
	sysctl variable "net.inet.ip.fw.verbose_limit" to 0.
	this means limit of log file is not set, according to the message printed
	in system boot sequence.
	if this is true, message "ipfw log limit reached" is curious.
	apply next patch to src/etc/periodic/security/550.ipfwlimit:

	--- 550.ipfwlimit	Mon Apr 24 13:27:57 2006
	+++ 550.ipfwlimit.orig	Mon Apr 24 13:27:37 2006
	@@ -43,7 +43,7 @@
	 case "$daily_status_security_ipfwlimit_enable" in
	     [Yy][Ee][Ss])
	 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
	-	if [ $? -ne 0 ] || [ "${IPFW_LOG_LIMIT}" -eq 0 ]; then
	+	if [ $? -ne 0 ]; then
	 		exit 0
	 	fi
	 	TMP=`mktemp -t security`

	this fix is not necessary about ip6fw, and is necessary on 6-STABLE.
How-To-Repeat: 	% grep daily_status_security_ipfwlimit_enable /etc/defaults/periodic.conf
	daily_status_security_ipfwlimit_enable="YES"
	% grep daily_status_security_ipfwlimit_enable /etc/periodic.conf
	% sysctl -n net.inet.ip.fw.verbose_limit
	0
	% sh /etc/periodic/security/550.ipfwlimit
	
	ipfw log limit reached:
	00510       1          70 deny log ip from any to 10.0.0.0/8 via xl0
	00520      27        3937 deny log ip from any to 172.16.0.0/12 via xl0
	00600      57        7222 deny log ip from any to 10.0.0.0/8 via sis0
	%
Comment 1 Matteo Riondato freebsd_committer 2006-05-09 18:05:01 UTC
State Changed
From-To: open->closed

This is not a bug: if net.inet.ip.fw.verbose_limit=0 but rules specify a limit, this limit has the priority since it's a specific setting that overrides a general one. 


Comment 2 Matteo Riondato freebsd_committer 2006-05-09 18:05:01 UTC
Responsible Changed
From-To: freebsd-bugs->matteo

Take ownership for feedback management
Comment 3 Matteo Riondato freebsd_committer 2006-05-10 07:02:16 UTC
State Changed
From-To: closed->open

Re-open to look at this PR again: submitter is sure this is a bug, so I'll look at this again.
Comment 4 TsurutaniNaoki 2006-07-11 10:46:31 UTC
In either case of logamount is set to 0 or net.inet.ip.fw.verbose_limit is 0,
the limit of loging should be removed; 0 is not "0",
and "ipfw log limit" is not reached.

Here is a new patch:

--- etc/periodic/security/550.ipfwlimit.orig   Mon Apr 24 13:27:37 2006
+++ etc/periodic/security/550.ipfwlimit	Wed May 10 07:00:10 2006
@@ -51,10 +51,10 @@
 	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
 	awk -v limit="$IPFW_LOG_LIMIT" \
 		'{if ($6 == "logamount") {
-			if ($2 > $7)
+			if ($7 != 0 && $2 > $7)
 				{print $0}
 		} else {
-			if ($2 > limit)
+			if (limit != 0 && $2 > limit)
 				{print $0}}
 		}' > ${TMP}
Comment 5 Mark Linimon freebsd_committer freebsd_triage 2010-06-19 05:42:47 UTC
Responsible Changed
From-To: matteo->freebsd-bugs

Reset PR assigned to inactive committer. 

Hat:	gnats-admin
Comment 6 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:21 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped