From eugen@www.svzserv.kemerovo.su  Mon Sep 23 23:15:26 2002
Return-Path: <eugen@www.svzserv.kemerovo.su>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 50E5537B401; Mon, 23 Sep 2002 23:15:26 -0700 (PDT)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A9A9D43E42; Mon, 23 Sep 2002 23:15:24 -0700 (PDT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.12.5/8.12.5) with ESMTP id g8O6FLie095478;
	Tue, 24 Sep 2002 14:15:21 +0800 (KRAST)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.12.5/8.12.5/Submit) id g8O6FKW3095471;
	Tue, 24 Sep 2002 14:15:20 +0800 (KRAST)
Message-Id: <200209240615.g8O6FKW3095471@www.svzserv.kemerovo.su>
Date: Tue, 24 Sep 2002 14:15:20 +0800 (KRAST)
From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Reply-To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
To: FreeBSD-gnats-submit@freebsd.org
Cc: luigi@freebsd.org
Subject: ipfw ... to not me
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         43319
>Category:       bin
>Synopsis:       ipfw ... to not me
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 23 23:20:02 PDT 2002
>Closed-Date:    Thu Sep 26 00:21:15 PDT 2002
>Last-Modified:  Thu Sep 26 00:21:15 PDT 2002
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386

>Description:

ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
it shows '... to me' while kernel contain right structures.
This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
this cosmetic but really ugly bug in STABLE.

>How-To-Repeat:

	ipfw add 60000 allow ip from any to not me
	ipfw show 60000

>Fix:

Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.23
diff -u -r1.80.2.23 ipfw.c
--- ipfw.c      13 May 2002 10:14:59 -0000      1.80.2.23
+++ ipfw.c      3 Sep 2002 01:56:43 -0000
@@ -276,7 +276,8 @@
                printf(" %u", chain->fw_prot);

        if (chain->fw_flg & IP_FW_F_SME) {
-               printf(" from me");
+               printf(" from %sme",
+                       chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
        } else {
                printf(" from %s",
                    chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
@@ -322,7 +323,8 @@
        }

        if (chain->fw_flg & IP_FW_F_DME) {
-               printf(" to me");
+               printf(" to %sme",
+                       chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
        } else {
                printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");

While you are here, please commit next patch.
It allows use of "ipfw ... limit" feature. Without similar patch
it's nearly impossible to use this feature under load as kernel floods
console and syslog with debug messages.

--- ip_fw.c.orig        Fri Jun 21 12:06:23 2002
+++ ip_fw.c     Fri Jun 21 12:24:09 2002
@@ -701,9 +701,10 @@
                max_pass = 1; /* we need a second pass */
                if (zap == 1 && (pass == 0 || q->count != 0) ) {
                    zap = 0 ;
-                   if (pass == 1) /* should not happen */
+                   DEB(if (pass == 1) /* should not happen */
                        printf("OUCH! cannot remove rule, count %d\n",
                                q->count);
+                      )
                }
            }
            if (zap) {
@@ -989,7 +990,7 @@
        if (parent->count >= conn_limit) {
            EXPIRE_DYN_CHAIN(rule); /* try to expire some */
            if (parent->count >= conn_limit) {
-               printf("drop session, too many entries\n");
+               DEB(printf("drop session, too many entries\n");)
                return 1;
            }
        }

Eugene Grosbein
>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@FreeBSD.org>
To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Cc: bug-followup@FreeBSD.org, <luigi@FreeBSD.org>
Subject: Re: bin/43319: ipfw ... to not me
Date: Tue, 24 Sep 2002 11:29:32 +0400 (MSD)

 [...]
 > >Synopsis:       ipfw ... to not me
 [...]
 > >Environment:
 > System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD
 > 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002
 > eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386
 >
 > >Description:
 >
 > ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
 > it shows '... to me' while kernel contain right structures.
 > This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
 > STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
 > this cosmetic but really ugly bug in STABLE.
 >
 > >How-To-Repeat:
 >
 > 	ipfw add 60000 allow ip from any to not me
 > 	ipfw show 60000
 >
 > >Fix:
 >
 > Index: ipfw.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
 > retrieving revision 1.80.2.23
 > diff -u -r1.80.2.23 ipfw.c
 > --- ipfw.c      13 May 2002 10:14:59 -0000      1.80.2.23
 > +++ ipfw.c      3 Sep 2002 01:56:43 -0000
 > @@ -276,7 +276,8 @@
 >                 printf(" %u", chain->fw_prot);
 >
 >         if (chain->fw_flg & IP_FW_F_SME) {
 > -               printf(" from me");
 > +               printf(" from %sme",
 > +                       chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 >         } else {
 >                 printf(" from %s",
 >                     chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 > @@ -322,7 +323,8 @@
 >         }
 >
 >         if (chain->fw_flg & IP_FW_F_DME) {
 > -               printf(" to me");
 > +               printf(" to %sme",
 > +                       chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 >         } else {
 >                 printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 
 I suggest a slightly different patch (no functional changes but it
 matches the code in -current)
 
 Index: ipfw.c
 ===================================================================
 RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
 retrieving revision 1.80.2.23
 diff -u -r1.80.2.23 ipfw.c
 --- ipfw.c	13 May 2002 10:14:59 -0000	1.80.2.23
 +++ ipfw.c	24 Sep 2002 07:11:47 -0000
 @@ -275,11 +275,11 @@
  	else
  		printf(" %u", chain->fw_prot);
 
 +	printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 +
  	if (chain->fw_flg & IP_FW_F_SME) {
 -		printf(" from me");
 +		printf("me");
  	} else {
 -		printf(" from %s",
 -		    chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 
  		adrt = ntohl(chain->fw_smsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
 @@ -321,11 +321,11 @@
  		}
  	}
 
 +	printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 +
  	if (chain->fw_flg & IP_FW_F_DME) {
 -		printf(" to me");
 +		printf("me");
  	} else {
 -		printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 -
  		adrt = ntohl(chain->fw_dmsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
  			adrt = (chain->fw_dst.s_addr);
 
 %%%
 
 > While you are here, please commit next patch.
 > It allows use of "ipfw ... limit" feature. Without similar patch
 > it's nearly impossible to use this feature under load as kernel floods
 > console and syslog with debug messages.
 
 It is a really different issue. There is a semi-related PR,
 kern/35887.
 
 > --- ip_fw.c.orig        Fri Jun 21 12:06:23 2002
 > +++ ip_fw.c     Fri Jun 21 12:24:09 2002
 > @@ -701,9 +701,10 @@
 >                 max_pass = 1; /* we need a second pass */
 >                 if (zap == 1 && (pass == 0 || q->count != 0) ) {
 >                     zap = 0 ;
 > -                   if (pass == 1) /* should not happen */
 > +                   DEB(if (pass == 1) /* should not happen */
 >                         printf("OUCH! cannot remove rule, count %d\n",
 >                                 q->count);
 > +                      )
 >                 }
 >             }
 >             if (zap) {
 > @@ -989,7 +990,7 @@
 >         if (parent->count >= conn_limit) {
 >             EXPIRE_DYN_CHAIN(rule); /* try to expire some */
 >             if (parent->count >= conn_limit) {
 > -               printf("drop session, too many entries\n");
 > +               DEB(printf("drop session, too many entries\n");)
 >                 return 1;
 >             }
 >         }
 >
 > Eugene Grosbein
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 >
 > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > with "unsubscribe freebsd-bugs" in the body of the message
 >
 >
 
 -- 
 Maxim Konovalov, maxim@FreeBSD.org
 
 

From: Eugene Grosbein <eugen@svzserv.kemerovo.su>
To: Maxim Konovalov <maxim@FreeBSD.org>
Cc: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>,
	bug-followup@FreeBSD.org, luigi@FreeBSD.org
Subject: Re: bin/43319: ipfw ... to not me
Date: Tue, 24 Sep 2002 16:47:32 +0800

 Maxim Konovalov wrote:
 
 > I suggest a slightly different patch (no functional changes but it
 > matches the code in -current)
 
 "Works for me".
 
 Eugene Grosbein

From: Luigi Rizzo <luigi@FreeBSD.org>
To: Maxim Konovalov <maxim@FreeBSD.org>
Cc: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>,
	bug-followup@FreeBSD.org
Subject: Re: bin/43319: ipfw ... to not me
Date: Wed, 25 Sep 2002 03:37:58 -0700

 feel free to commit this, i am not going to touch ipfw1 anymore.
 
 	cheers
 	luigi
 
 On Tue, Sep 24, 2002 at 11:29:32AM +0400, Maxim Konovalov wrote:
 > 
 > [...]
 > > >Synopsis:       ipfw ... to not me
 > [...]
 > > >Environment:
 > > System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD
 > > 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002
 > > eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386
 > >
 > > >Description:
 > >
 > > ipfw from RELENG_4 shows rules like '... to not me' incorrectly,
 > > it shows '... to me' while kernel contain right structures.
 > > This bug was fixed in CURRENT (ipfw.c, 1.122) 3 months ago but never in
 > > STABLE. I'm afraid this won't be fixed in 4.7-STABLE. Someone, please fix
 > > this cosmetic but really ugly bug in STABLE.
 > >
 > > >How-To-Repeat:
 > >
 > > 	ipfw add 60000 allow ip from any to not me
 > > 	ipfw show 60000
 > >
 > > >Fix:
 > >
 > > Index: ipfw.c
 > > ===================================================================
 > > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
 > > retrieving revision 1.80.2.23
 > > diff -u -r1.80.2.23 ipfw.c
 > > --- ipfw.c      13 May 2002 10:14:59 -0000      1.80.2.23
 > > +++ ipfw.c      3 Sep 2002 01:56:43 -0000
 > > @@ -276,7 +276,8 @@
 > >                 printf(" %u", chain->fw_prot);
 > >
 > >         if (chain->fw_flg & IP_FW_F_SME) {
 > > -               printf(" from me");
 > > +               printf(" from %sme",
 > > +                       chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 > >         } else {
 > >                 printf(" from %s",
 > >                     chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 > > @@ -322,7 +323,8 @@
 > >         }
 > >
 > >         if (chain->fw_flg & IP_FW_F_DME) {
 > > -               printf(" to me");
 > > +               printf(" to %sme",
 > > +                       chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 > >         } else {
 > >                 printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 > 
 > I suggest a slightly different patch (no functional changes but it
 > matches the code in -current)
 > 
 > Index: ipfw.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
 > retrieving revision 1.80.2.23
 > diff -u -r1.80.2.23 ipfw.c
 > --- ipfw.c	13 May 2002 10:14:59 -0000	1.80.2.23
 > +++ ipfw.c	24 Sep 2002 07:11:47 -0000
 > @@ -275,11 +275,11 @@
 >  	else
 >  		printf(" %u", chain->fw_prot);
 > 
 > +	printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 > +
 >  	if (chain->fw_flg & IP_FW_F_SME) {
 > -		printf(" from me");
 > +		printf("me");
 >  	} else {
 > -		printf(" from %s",
 > -		    chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
 > 
 >  		adrt = ntohl(chain->fw_smsk.s_addr);
 >  		if (adrt == ULONG_MAX && do_resolv) {
 > @@ -321,11 +321,11 @@
 >  		}
 >  	}
 > 
 > +	printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 > +
 >  	if (chain->fw_flg & IP_FW_F_DME) {
 > -		printf(" to me");
 > +		printf("me");
 >  	} else {
 > -		printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
 > -
 >  		adrt = ntohl(chain->fw_dmsk.s_addr);
 >  		if (adrt == ULONG_MAX && do_resolv) {
 >  			adrt = (chain->fw_dst.s_addr);
 > 
 > %%%
 > 
 > > While you are here, please commit next patch.
 > > It allows use of "ipfw ... limit" feature. Without similar patch
 > > it's nearly impossible to use this feature under load as kernel floods
 > > console and syslog with debug messages.
 > 
 > It is a really different issue. There is a semi-related PR,
 > kern/35887.
 > 
 > > --- ip_fw.c.orig        Fri Jun 21 12:06:23 2002
 > > +++ ip_fw.c     Fri Jun 21 12:24:09 2002
 > > @@ -701,9 +701,10 @@
 > >                 max_pass = 1; /* we need a second pass */
 > >                 if (zap == 1 && (pass == 0 || q->count != 0) ) {
 > >                     zap = 0 ;
 > > -                   if (pass == 1) /* should not happen */
 > > +                   DEB(if (pass == 1) /* should not happen */
 > >                         printf("OUCH! cannot remove rule, count %d\n",
 > >                                 q->count);
 > > +                      )
 > >                 }
 > >             }
 > >             if (zap) {
 > > @@ -989,7 +990,7 @@
 > >         if (parent->count >= conn_limit) {
 > >             EXPIRE_DYN_CHAIN(rule); /* try to expire some */
 > >             if (parent->count >= conn_limit) {
 > > -               printf("drop session, too many entries\n");
 > > +               DEB(printf("drop session, too many entries\n");)
 > >                 return 1;
 > >             }
 > >         }
 > >
 > > Eugene Grosbein
 > > >Release-Note:
 > > >Audit-Trail:
 > > >Unformatted:
 > >
 > > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > > with "unsubscribe freebsd-bugs" in the body of the message
 > >
 > >
 > 
 > -- 
 > Maxim Konovalov, maxim@FreeBSD.org
 > 
 > 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Thu Sep 26 00:19:28 PDT 2002 
State-Changed-Why:  
Fixed in rev. 1.80.2.24 src/sbin/ipfw/ipfw.c in -stable. Thanks. 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Thu Sep 26 00:19:28 PDT 2002 
Responsible-Changed-Why:  
Will see a potential feedbacks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43319 
>Unformatted:
