From nobody@FreeBSD.org Wed Oct 4 09:41:21 2006 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8884E16A40F for ; Wed, 4 Oct 2006 09:41:21 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D42443D86 for ; Wed, 4 Oct 2006 09:41:12 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k949fCL4040513 for ; Wed, 4 Oct 2006 09:41:12 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k949fCYM040471; Wed, 4 Oct 2006 09:41:12 GMT (envelope-from nobody) Message-Id: <200610040941.k949fCYM040471@www.freebsd.org> Date: Wed, 4 Oct 2006 09:41:12 GMT From: Oleg Gawriloff To: freebsd-gnats-submit@FreeBSD.org Subject: ipfw2 limit src-addr logging is not sufficient for debug X-Send-Pr-Version: www-2.3 >Number: 103967 >Category: kern >Synopsis: [ipfw] [patch] ipfw2 limit src-addr logging is not sufficient for debug >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ipfw >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Oct 04 09:50:13 GMT 2006 >Closed-Date: Mon Nov 20 15:13:57 GMT 2006 >Last-Modified: Mon Nov 20 15:13:57 GMT 2006 >Originator: Oleg Gawriloff >Release: 4.11/5.3 >Organization: Atlant Telecom >Environment: FreeBSD martin.telecom.by 4.11-RELEASE-p12 FreeBSD 4.11-RELEASE-p12 #3: Tue Dec 20 09:30:16 EET 2005 root@martin.telecom.by:/usr/obj/usr/src/sys/MARTIN i386 >Description: When ipfw rule ipfw add 20 allow tcp from me to any limit src-addr 2 is in effect kernel log it as Oct 4 12:34:48 martin /kernel: drop session, too many entries which is not sufficient to diagnose problem. At http://cvs.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/StatefulFirewalling located patch which solves this problem (i.e. after patch log entries looks like @drop session 129.97.20.165:1026 -> 129.97.20.200:23, TOO many entries") which is far more preferable than current behaviour. >How-To-Repeat: Just test limit src-addr rule and view log output >Fix: http://www.freebsd.uwaterloo.ca/ip_fw2.patch >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 10 02:10:58 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=103967 From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/103967: commit references a PR Date: Wed, 11 Oct 2006 11:52:54 +0000 (UTC) maxim 2006-10-11 11:52:34 UTC FreeBSD src repository Modified files: sys/netinet ip_fw2.c Log: o Extend not very informative ipfw(4) message 'drop session, too many entries' by src:port and dst:port pairs. IPv6 part is non-functional as ``limit'' does not support IPv6 flows. PR: kern/103967 Submitted by: based on Bruce Campbell patch MFC after: 1 month Revision Changes Path 1.149 +32 -2 src/sys/netinet/ip_fw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Wed Oct 11 12:09:54 UTC 2006 State-Changed-Why: A similar patch was committed to HEAD. MFC in 1 month. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=103967 State-Changed-From-To: patched->closed State-Changed-By: maxim State-Changed-When: Mon Nov 20 15:13:39 UTC 2006 State-Changed-Why: Merged to RELENG_6. http://www.freebsd.org/cgi/query-pr.cgi?pr=103967 >Unformatted: