From dima@KOT.SPb.Ru  Thu Mar 14 01:44:42 2002
Return-Path: <dima@KOT.SPb.Ru>
Received: from orion.ifmo.ru (kot.spb.ru [194.85.164.6])
	by hub.freebsd.org (Postfix) with ESMTP id C989937B419
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Mar 2002 01:44:38 -0800 (PST)
Received: (from dima@localhost)
	by orion.ifmo.ru (8.11.6/8.11.6) id g2E9iMg77205;
	Thu, 14 Mar 2002 12:44:22 +0300 (MSK)
	(envelope-from dima)
Message-Id: <200203140944.g2E9iMg77205@orion.ifmo.ru>
Date: Thu, 14 Mar 2002 12:44:22 +0300 (MSK)
From: Dmitry Afanasiev <dima@KOT.SPb.Ru>
Reply-To: Dmitry Afanasiev <dima@KOT.SPb.Ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw(8) limit feature does not work propertly
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         35887
>Category:       kern
>Synopsis:       ipfw(8) limit feature does not work propertly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 14 01:50:01 PST 2002
>Closed-Date:    Mon Oct 28 04:47:32 PST 2002
>Last-Modified:  Mon Oct 28 04:47:32 PST 2002
>Originator:     Dmitry Afanasiev
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD orion 4.5-STABLE FreeBSD 4.5-STABLE #8: Fri Mar 8 01:48:57 MSK 2002 root@orion:/usr/obj/usr/src/sys/MATPOCKuH i386


>Description:
When I use rule
  allow tcp from any to 192.168.1.1 8800 limit src-addr 3 setup
and has over 100 simulation connections, I get the
log's entries and some-times missworking limit:
Mar 14 12:39:59 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:39:59 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:39:59 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:13 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:13 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:13 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:13 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:13 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:30 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:30 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:33 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:33 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:33 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:33 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:41 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:41 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:41 orion /kernel: OUCH! cannot remove rule, count 3
Mar 14 12:40:44 orion /kernel: OUCH! cannot remove rule, count 1
Mar 14 12:40:44 orion /kernel: OUCH! cannot remove rule, count 2
Mar 14 12:40:44 orion /kernel: OUCH! cannot remove rule, count 3

>How-To-Repeat:
ifconfig ed0 alias 192.168.1.1
ipfw add 22000 allow tcp from any to 192.168.1.1 8800 setup limit src-addr 3

>Fix:
>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/35887
Date: Mon, 30 Sep 2002 17:42:59 +0400 (MSD)

 There are two unrelated problems. First, limit rules just do not work
 for longlive connections (more than net.inet.ip.fw.dyn_ack_lifetime
 seconds). A keepalive mechanism in ipfw2 solves the problem.
 
 Second, ipfw1 incorrectly spams a kernel log. You can try a patch
 below. Again, ipfw2 does not have this bug.
 
 Index: ip_fw.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
 retrieving revision 1.188
 diff -u -r1.188 ip_fw.c
 --- ip_fw.c	22 Jun 2002 11:51:02 -0000	1.188
 +++ ip_fw.c	27 Sep 2002 12:06:35 -0000
 @@ -724,11 +724,11 @@
  	    if (zap)
  		zap = force || TIME_LEQ( q->expire , time_second );
  	    /* do not zap parent in first pass, record we need a second pass */
 -	    if (q->dyn_type == DYN_LIMIT_PARENT) {
 +	    if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
  		max_pass = 1; /* we need a second pass */
 -		if (zap == 1 && (pass == 0 || q->count != 0) ) {
 +		if (pass == 0 || q->count != 0) {
  		    zap = 0 ;
 -		    if (pass == 1) /* should not happen */
 +		    if (pass == 1 && force) /* should not happen */
  			printf("OUCH! cannot remove rule, count %d\n",
  				q->count);
  		}
 
 %%%
 
 But I suggest to switch to ipfw2 instead. Instructions are there:
 
 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=805262+0+archive/2002/cvs-all/20020728.cvs-all
 
 -- 
 Maxim Konovalov, MAcomnet, Internet Dept., system engineer
 phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
 
 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Oct 28 04:45:46 PST 2002 
State-Changed-Why:  
Fixed in rev. 1.131.2.36 src/sys/netinet/ip_fw.c in 4.7-STABLE. 
This bug does not affect -CURRENT. 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Mon Oct 28 04:45:46 PST 2002 
Responsible-Changed-Why:  
Feedbacks will go to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35887 
>Unformatted:
