From turutani@polymer3.scphys.kyoto-u.ac.jp  Mon Apr 24 05:00:35 2006
Return-Path: <turutani@polymer3.scphys.kyoto-u.ac.jp>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E19D16A406
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 24 Apr 2006 05:00:35 +0000 (UTC)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: from polymer3.scphys.kyoto-u.ac.jp (polymer3.scphys.kyoto-u.ac.jp [130.54.55.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9000343D46
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 24 Apr 2006 05:00:34 +0000 (GMT)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: from polymer3.scphys.kyoto-u.ac.jp (localhost [127.0.0.1])
	by polymer3.scphys.kyoto-u.ac.jp (8.13.4/8.13.4/20060227-1) with ESMTP id k3O50Rea081787;
	Mon, 24 Apr 2006 14:00:27 +0900 (JST)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: (from turutani@localhost)
	by polymer3.scphys.kyoto-u.ac.jp (8.13.4/8.13.4/Submit) id k3O50QOJ081786;
	Mon, 24 Apr 2006 14:00:26 +0900 (JST)
	(envelope-from turutani)
Message-Id: <200604240500.k3O50QOJ081786@polymer3.scphys.kyoto-u.ac.jp>
Date: Mon, 24 Apr 2006 14:00:26 +0900 (JST)
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Reply-To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: 550.ipfwlimit reports logs even if log size is not limited.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         96247
>Category:       conf
>Synopsis:       [patch] 550.ipfwlimit reports logs even if log size is not limited.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 24 05:10:13 GMT 2006
>Closed-Date:    
>Last-Modified:  Sat Jun 19 04:43:01 UTC 2010
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD polymer3.scphys.kyoto-u.ac.jp 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #19: Thu Mar 23 12:05:35 JST 2006 turutani@polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	report via periodic daily may contain reports about ipfw.
	this report is created by 550.ipfwlimit even if log size is unlimited.
	
>How-To-Repeat:
	% grep daily_status_security_ipfwlimit_enable /etc/defaults/periodic.conf
	daily_status_security_ipfwlimit_enable="YES"
	% grep daily_status_security_ipfwlimit_enable /etc/periodic.conf
	% sysctl -n net.inet.ip.fw.verbose_limit
	0
	% sh /etc/periodic/security/550.ipfwlimit
	
	ipfw log limit reached:
	00510       1          70 deny log ip from any to 10.0.0.0/8 via xl0
	00520      27        3937 deny log ip from any to 172.16.0.0/12 via xl0
	00600      57        7222 deny log ip from any to 10.0.0.0/8 via sis0
	%
	
>Fix:
	"options IPFIREWALL_VERBOSE_LIMIT=0" in kernel configuration file set
	sysctl variable "net.inet.ip.fw.verbose_limit" to 0.
	this means limit of log file is not set, according to the message printed
	in system boot sequence.
	if this is true, message "ipfw log limit reached" is curious.
	apply next patch to src/etc/periodic/security/550.ipfwlimit:

	--- 550.ipfwlimit	Mon Apr 24 13:27:57 2006
	+++ 550.ipfwlimit.orig	Mon Apr 24 13:27:37 2006
	@@ -43,7 +43,7 @@
	 case "$daily_status_security_ipfwlimit_enable" in
	     [Yy][Ee][Ss])
	 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
	-	if [ $? -ne 0 ] || [ "${IPFW_LOG_LIMIT}" -eq 0 ]; then
	+	if [ $? -ne 0 ]; then
	 		exit 0
	 	fi
	 	TMP=`mktemp -t security`

	this fix is not necessary about ip6fw, and is necessary on 6-STABLE.
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: matteo 
State-Changed-When: Tue May 9 17:05:01 UTC 2006 
State-Changed-Why:  
This is not a bug: if net.inet.ip.fw.verbose_limit=0 but rules specify a limit, this limit has the priority since it's a specific setting that overrides a general one. 


Responsible-Changed-From-To: freebsd-bugs->matteo 
Responsible-Changed-By: matteo 
Responsible-Changed-When: Tue May 9 17:05:01 UTC 2006 
Responsible-Changed-Why:  
Take ownership for feedback management 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96247 
State-Changed-From-To: closed->open 
State-Changed-By: matteo 
State-Changed-When: Wed May 10 06:02:16 UTC 2006 
State-Changed-Why:  
Re-open to look at this PR again: submitter is sure this is a bug, so I'll look at this again. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96247 

From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: bug-followup@FreeBSD.org, matteo@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: conf/96247: [patch] 550.ipfwlimit reports logs even if log size is not limited.
Date: Tue, 11 Jul 2006 18:46:31 +0900

 In either case of logamount is set to 0 or net.inet.ip.fw.verbose_limit is 0,
 the limit of loging should be removed; 0 is not "0",
 and "ipfw log limit" is not reached.
 
 Here is a new patch:
 
 --- etc/periodic/security/550.ipfwlimit.orig   Mon Apr 24 13:27:37 2006
 +++ etc/periodic/security/550.ipfwlimit	Wed May 10 07:00:10 2006
 @@ -51,10 +51,10 @@
  	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
  	awk -v limit="$IPFW_LOG_LIMIT" \
  		'{if ($6 == "logamount") {
 -			if ($2 > $7)
 +			if ($7 != 0 && $2 > $7)
  				{print $0}
  		} else {
 -			if ($2 > limit)
 +			if (limit != 0 && $2 > limit)
  				{print $0}}
  		}' > ${TMP}
 
Responsible-Changed-From-To: matteo->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jun 19 04:42:47 UTC 2010 
Responsible-Changed-Why:  
Reset PR assigned to inactive committer. 

Hat:	gnats-admin 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96247 
>Unformatted:
