From rfg@tristatelogic.com  Tue Jul 29 01:28:18 2008
Return-Path: <rfg@tristatelogic.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6723A1065737
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Jul 2008 01:28:18 +0000 (UTC)
	(envelope-from rfg@tristatelogic.com)
Received: from segfault-outgoing-helo.tristatelogic.com (112.171-60-66-fuji-dsl.static.surewest.net [66.60.171.112])
	by mx1.freebsd.org (Postfix) with ESMTP id 43CFA8FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Jul 2008 01:28:18 +0000 (UTC)
	(envelope-from rfg@tristatelogic.com)
Received: by segfault.tristatelogic.com (Postfix, from userid 1237)
	id DEA991142D; Mon, 28 Jul 2008 18:28:17 -0700 (PDT)
Message-Id: <20080729012817.DEA991142D@segfault.tristatelogic.com>
Date: Mon, 28 Jul 2008 18:28:17 -0700 (PDT)
From: Ronald F.Guilmette <rfg@tristatelogic.com>
Reply-To: Ronald F.Guilmette <rfg@tristatelogic.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPFW limit checking in nightly security scripts slightly botched
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         126060
>Category:       conf
>Synopsis:       [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    antoine
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 29 01:30:06 UTC 2008
>Closed-Date:    Sat Jan 10 19:11:31 UTC 2009
>Last-Modified:  Sat Jan 10 19:11:31 UTC 2009
>Originator:     Ronald F. Guilmette
>Release:        FreeBSD 6.3-RELEASE i386
>Organization:
Infinite Monkeys & Co. LLC
>Environment:
System: FreeBSD xxxxxxx.tristatelogic.com 6.3-RELEASE

>Description:
	The following two scripts fail to correctly interpret sysctl IPFW
	logging limits of "0" (i.e. "no limit") for IPv4 and IPv6 respectively:

	/etc/periodic/security/550.ipfwlimit
	/etc/periodic/security/650.ip6fwlimit

>How-To-Repeat:
	Run the scripts noted above, or just wait for them to run automagically
	at 3AM.
>Fix:
	Trivial/obvious patches included below.  *** WARNING *** Somebody
	please check these for correct awk syntax.  I don't do very much awk,
	so I may have botched the fixes here.  But I think I got them right.

*** etc/periodic/security/550.ipfwlimit-	Tue Jan 15 16:33:31 2008
--- etc/periodic/security/550.ipfwlimit	Mon Jul 28 18:04:08 2008
***************
*** 55,59 ****
  				{print $0}
  		} else {
! 			if ($2 > limit)
  				{print $0}}
  		}' > ${TMP}
--- 55,59 ----
  				{print $0}
  		} else {
! 			if ($2 > limit && limit != 0)
  				{print $0}}
  		}' > ${TMP}



*** etc/periodic/security/650.ip6fwlimit-	Tue Jan 15 16:33:31 2008
--- etc/periodic/security/650.ip6fwlimit	Mon Jul 28 18:07:26 2008
***************
*** 49,53 ****
  	    grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
  	    awk -v limit="$IPFW_LOG_LIMIT" \
! 		'{if ($2 > limit) {print $0}}' > ${TMP}
  	    if [ -s "${TMP}" ]; then
  		rc=1
--- 49,53 ----
  	    grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
  	    awk -v limit="$IPFW_LOG_LIMIT" \
! 		'{if ($2 > limit && limit != 0) {print $0}}' > ${TMP}
  	    if [ -s "${TMP}" ]; then
  		rc=1
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jul 31 14:40:19 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126060 
Responsible-Changed-From-To: freebsd-rc->freebsd-bugs 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Thu Jul 31 19:26:12 UTC 2008 
Responsible-Changed-Why:  

periodic != rc 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126060 

From: "Antoine Brodin" <antoine@FreeBSD.org>
To: bug-followup@freebsd.org, rfg@tristatelogic.com
Cc:  
Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Date: Sun, 3 Aug 2008 18:32:07 +0200

 I think that this periodic script has a few problems:
 - it should not check rules without "logamount"
 - it should not use sysctl net.inet.ip.fw.verbose_limit
 - it should not run if sysctl net.inet.ip.fw.verbose is not 1
 
 The logging limit for a rule that doesn't have "logamount" is set to
 the value of net.inet.ip.fw.verbose_limit at the time the rule is set,
 and when this rule is showed later it has a logamount:
 
 %%%
 # ipfw -a list
 65535 0 0 deny ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=0
 net.inet.ip.fw.verbose_limit: 500 -> 0
 # ipfw add 100 allow log ip from any to any
 00100 allow log ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=100
 net.inet.ip.fw.verbose_limit: 0 -> 100
 # ipfw add 200 allow log ip from any to any
 00200 allow log logamount 100 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=200
 net.inet.ip.fw.verbose_limit: 100 -> 200
 # ipfw add 300 allow log ip from any to any
 00300 allow log logamount 200 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=300
 net.inet.ip.fw.verbose_limit: 200 -> 300
 # ipfw add 400 allow log ip from any to any
 00400 allow log logamount 300 ip from any to any
 # ipfw add 500 allow log logamount 0 ip from any to any
 00500 allow log ip from any to any
 # ipfw -a list
 00100 10 1227 allow log ip from any to any
 00200  0    0 allow log logamount 100 ip from any to any
 00300  0    0 allow log logamount 200 ip from any to any
 00400  0    0 allow log logamount 300 ip from any to any
 00500  0    0 allow log ip from any to any
 65535  4  436 deny ip from any to any
 %%%
Responsible-Changed-From-To: freebsd-bugs->antoine 
Responsible-Changed-By: antoine 
Responsible-Changed-When: Sun Aug 3 20:37:41 UTC 2008 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126060 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/126060: commit references a PR
Date: Sun, 10 Aug 2008 18:12:27 +0000 (UTC)

 antoine     2008-08-10 18:11:24 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc/periodic/security 550.ipfwlimit 
   Log:
   SVN rev 181531 on 2008-08-10 18:11:24Z by antoine
   
   Improve periodic/security/550.ipfwlimit a bit:
   - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
   - handle rules without logging limit correctly [1]
   (those rules show up without logamount in "ipfw -a list")
   
   PR:             conf/126060 [1]
   MFC after:      1 month
   
   Revision  Changes    Path
   1.11      +3 -6      src/etc/periodic/security/550.ipfwlimit
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: antoine 
State-Changed-When: Sun Aug 10 18:20:54 UTC 2008 
State-Changed-Why:  
Patched in head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126060 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/126060: commit references a PR
Date: Sat, 10 Jan 2009 19:00:55 +0000 (UTC)

 Author: antoine
 Date: Sat Jan 10 19:00:17 2009
 New Revision: 187031
 URL: http://svn.freebsd.org/changeset/base/187031
 
 Log:
   MFC r181531 to stable/7:
     Improve periodic/security/550.ipfwlimit a bit:
     - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
     - handle rules without logging limit correctly [1]
     (those rules show up without logamount in "ipfw -a list")
   
     PR:		conf/126060 [1]
     MFC after:	1 month
 
 Modified:
   stable/7/etc/   (props changed)
   stable/7/etc/periodic/security/550.ipfwlimit
 
 Modified: stable/7/etc/periodic/security/550.ipfwlimit
 ==============================================================================
 --- stable/7/etc/periodic/security/550.ipfwlimit	Sat Jan 10 18:19:22 2009	(r187030)
 +++ stable/7/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:00:17 2009	(r187031)
 @@ -42,19 +42,16 @@ rc=0
  
  case "$daily_status_security_ipfwlimit_enable" in
      [Yy][Ee][Ss])
 -	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
 -	if [ $? -ne 0 ]; then
 +	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
 +	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
  		exit 0
  	fi
  	TMP=`mktemp -t security`
  	ipfw -a list | grep " log " | \
  	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
 -	awk -v limit="$IPFW_LOG_LIMIT" \
 +	awk \
  		'{if ($6 == "logamount") {
  			if ($2 > $7)
 -				{print $0}
 -		} else {
 -			if ($2 > limit)
  				{print $0}}
  		}' > ${TMP}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/126060: commit references a PR
Date: Sat, 10 Jan 2009 19:03:49 +0000 (UTC)

 Author: antoine
 Date: Sat Jan 10 19:03:35 2009
 New Revision: 187033
 URL: http://svn.freebsd.org/changeset/base/187033
 
 Log:
   MFC r181531 to stable/6:
     Improve periodic/security/550.ipfwlimit a bit:
     - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
     - handle rules without logging limit correctly [1]
     (those rules show up without logamount in "ipfw -a list")
   
     PR:		conf/126060 [1]
     MFC after:	1 month
 
 Modified:
   stable/6/etc/   (props changed)
   stable/6/etc/periodic/security/550.ipfwlimit
 
 Modified: stable/6/etc/periodic/security/550.ipfwlimit
 ==============================================================================
 --- stable/6/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:01:29 2009	(r187032)
 +++ stable/6/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:03:35 2009	(r187033)
 @@ -42,19 +42,16 @@ rc=0
  
  case "$daily_status_security_ipfwlimit_enable" in
      [Yy][Ee][Ss])
 -	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
 -	if [ $? -ne 0 ]; then
 +	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
 +	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
  		exit 0
  	fi
  	TMP=`mktemp -t security`
  	ipfw -a list | grep " log " | \
  	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
 -	awk -v limit="$IPFW_LOG_LIMIT" \
 +	awk \
  		'{if ($6 == "logamount") {
  			if ($2 > $7)
 -				{print $0}
 -		} else {
 -			if ($2 > limit)
  				{print $0}}
  		}' > ${TMP}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: antoine 
State-Changed-When: Sat Jan 10 19:10:55 UTC 2009 
State-Changed-Why:  
Fixed in head, stable/7 and stable/6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126060 
>Unformatted:
