From stephen@cauchy.math.missouri.edu  Wed Jul 26 13:45:53 2000
Return-Path: <stephen@cauchy.math.missouri.edu>
Received: from cauchy.math.missouri.edu (cauchy.math.missouri.edu [128.206.49.166])
	by hub.freebsd.org (Postfix) with ESMTP id 6FC3237BF25
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 Jul 2000 13:45:52 -0700 (PDT)
	(envelope-from stephen@cauchy.math.missouri.edu)
Received: (from stephen@localhost)
	by cauchy.math.missouri.edu (8.9.3/8.9.1) id PAA35896;
	Wed, 26 Jul 2000 15:45:51 -0500 (CDT)
Message-Id: <200007262045.PAA35896@cauchy.math.missouri.edu>
Date: Wed, 26 Jul 2000 15:45:51 -0500 (CDT)
From: Stephen Montgomery-Smith <stephen@cauchy.math.missouri.edu>
Reply-To: stephen@math.missouri.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: "ipfw show" lists expired dynamic rules
X-Send-Pr-Version: 3.2

>Number:         20201
>Category:       kern
>Synopsis:       "ipfw show" lists expired dynamic rules
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 13:50:01 PDT 2000
>Closed-Date:    Thu Jul 27 06:36:34 PDT 2000
>Last-Modified:  Thu Jul 27 06:36:55 PDT 2000
>Originator:     Stephen Montgomery-Smith
>Release:        FreeBSD 4.1-RC i386
>Organization:
University of Missouri
>Environment:

When you have installed a ipfw ruleset that includes ones with the keep-state
option set.

>Description:

ipfw show
lists all the dynamic rules, including those that have expired.

Indeed, looking at the code, it seems to me that the only time the
expired rules are cleaned out is when the number of dynamic rules
exceeds net.inet.ip.fw.dyn_max

>How-To-Repeat:

type
ipfw show

>Fix:

My idea is as follows: when the user types

  ipfw show

then in sys/netinet/ip_fw.c we should clean out all the expired
rules with a call to remove_dyn_rule(NULL,0).  This should have
very low overhead, because we don't type ipfw show very often.

--- /sys/netinet/ip_fw.c	Sat Jul 15 19:25:45 2000
+++ ip_fw.c	Wed Jul 26 15:11:42 2000
@@ -1712,6 +1720,9 @@
 
 	switch (sopt->sopt_name) {
 	case IP_FW_GET:
+#if STATEFUL
+                remove_dyn_rule(NULL, 0 /* expire */);
+#endif
 		for (fcp = LIST_FIRST(&ip_fw_chain), size = 0; fcp;
 		     fcp = LIST_NEXT(fcp, chain))
 			size += sizeof *fcp->rule;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Jul 27 04:44:40 PDT 2000 
Responsible-Changed-Why:  
Luigi, could you take a look at this one? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20201 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Thu Jul 27 06:36:34 PDT 2000 
State-Changed-Why:  
Luigi feels that the current behaviour is desirable. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20201 
>Unformatted:
 Stephen Montgomery-Smith
