From nobody@FreeBSD.ORG  Sun Aug  6 16:54:43 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 7597337BC6F; Sun,  6 Aug 2000 16:54:43 -0700 (PDT)
Message-Id: <20000806235443.7597337BC6F@hub.freebsd.org>
Date: Sun,  6 Aug 2000 16:54:43 -0700 (PDT)
From: roland+freebsd@frob.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: expired dynamic rules shown in "ipfw get" output
X-Send-Pr-Version: www-1.0

>Number:         20448
>Category:       kern
>Synopsis:       expired dynamic rules shown in "ipfw get" output
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 06 17:00:01 PDT 2000
>Closed-Date:    Thu Nov 22 15:19:13 PST 2001
>Last-Modified:  Thu Nov 22 15:20:30 PST 2001
>Originator:     Roland McGrath
>Release:        4.0-20000706-STABLE
>Organization:
>Environment:
FreeBSD gateway.sf.frob.com 4.0-20000706-STABLE FreeBSD 4.0-20000706-STABLE #4:\
 Sun Aug  6 16:22:24 PDT 2000     roland@gateway.sf.frob.com:/usr/src/sys/compi\
le/FIREWALL  i386

>Description:
IP firewall dynamic rules have expiration times, but these times are
only checked when a hash lookup happens to walk over an expired rule,
or when the entire rule table is full and must be cleaned up to make
space for a new rule.  This is not a problem in practice, but it makes
for extraneous (and perhaps confusing) output in "ipfw get", since
expired dynamic rules are listed with a timeout value of 0--in fact
indicating that the rules have already expired and will have no effect
on future packet classification.
>How-To-Repeat:
Use ipfw dynamic rules (keep-state).  Invoke such a rule.
Note its presence in "ipfw get".  Wait for the rule to time out.
Again do "ipfw get" and note the continued presence of the expired
rule.

>Fix:
I made the following change to sys/netinet/ip_fw.c, which simply
does the expired-rule collection procedure before walking the hash
table for an IP_FW_GET request.  It looks like the current version
of ip_fw.c has not changed this part of the code, so this change should still apply.  It would be perhaps better to modify remove_dyn_rule
to do the rule count during its walk (rather than do two walks here),
but this was the minimal code change.

diff -ubp /sys/netinet/ip_fw.c.~1~ /sys/netinet/ip_fw.c
--- /sys/netinet/ip_fw.c.~1~    Sun Aug  6 16:50:28 2000
+++ /sys/netinet/ip_fw.c        Sun Aug  6 16:50:28 2000
@@ -1720,6 +1720,7 @@ ip_fw_ctl(struct sockopt *sopt)
                    int i ;
                    struct ipfw_dyn_rule *p ;

+                   remove_dyn_rule(NULL, 0 /* expire */);
                    for (i = 0 ; i < curr_dyn_buckets ; i++ )
                        for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next )
                            size += sizeof(*p) ;


>Release-Note:
>Audit-Trail:

From: Bill Fumerola <billf@chimesnet.com>
To: roland+freebsd@frob.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/20448: expired dynamic rules shown in "ipfw get" output
Date: Sun, 6 Aug 2000 20:06:53 -0400

 On Sun, Aug 06, 2000 at 04:54:43PM -0700, roland+freebsd@frob.com wrote:
 
 > >Fix:
 > I made the following change to sys/netinet/ip_fw.c, which simply
 > does the expired-rule collection procedure before walking the hash
 > table for an IP_FW_GET request.  It looks like the current version
 > of ip_fw.c has not changed this part of the code, so this change should still apply.
 [....]
 > 
 > diff -ubp /sys/netinet/ip_fw.c.~1~ /sys/netinet/ip_fw.c
 > --- /sys/netinet/ip_fw.c.~1~    Sun Aug  6 16:50:28 2000
 > +++ /sys/netinet/ip_fw.c        Sun Aug  6 16:50:28 2000
 > @@ -1720,6 +1720,7 @@ ip_fw_ctl(struct sockopt *sopt)
 >                     int i ;
 >                     struct ipfw_dyn_rule *p ;
 > 
 > +                   remove_dyn_rule(NULL, 0 /* expire */);
 >                     for (i = 0 ; i < curr_dyn_buckets ; i++ )
 >                         for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next )
 >                             size += sizeof(*p) ;
 > 
 
 I believe this has to be called at splnet().
 
 -- 
 Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                 billf@chimesnet.com / billf@FreeBSD.org
 
 
 
 

From: Roland McGrath <roland@frob.com>
To: Bill Fumerola <billf@chimesnet.com>
Cc: roland+freebsd@frob.com, freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/20448: expired dynamic rules shown in "ipfw get" output
Date: Sun, 6 Aug 2000 20:16:09 -0400 (EDT)

 > I believe this has to be called at splnet().
 
 I'll buy that.  But it seems to me that the walks of the hash table that go
 on there ought perhaps to be done at splnet too.  Though I guess in
 practice lower levels only read and never mutate the list structure.
 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Aug 7 02:03:20 PDT 2000 
Responsible-Changed-Why:  
Luigi, this one looks a lot like kern/20201.  Could you take 
a look, though? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20448 
State-Changed-From-To: open->closed 
State-Changed-By: luigi 
State-Changed-When: Thu Nov 22 15:19:13 PST 2001 
State-Changed-Why:  
Joe committed code to ipfw.c to disable showing these rules 
unless specifically requested. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=20448 
>Unformatted:
