From eugen@www.svzserv.kemerovo.su  Wed Sep 25 00:13:09 2002
Return-Path: <eugen@www.svzserv.kemerovo.su>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0A03D37B502
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 2002 00:13:09 -0700 (PDT)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1F58743E77
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 2002 00:13:06 -0700 (PDT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.12.5/8.12.5) with ESMTP id g8P7D0ie035170
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 2002 15:13:00 +0800 (KRAST)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.12.5/8.12.5/Submit) id g8P7D0LS035164;
	Wed, 25 Sep 2002 15:13:00 +0800 (KRAST)
Message-Id: <200209250713.g8P7D0LS035164@www.svzserv.kemerovo.su>
Date: Wed, 25 Sep 2002 15:13:00 +0800 (KRAST)
From: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
Reply-To: Eugene Grosbein <eugen@www.svzserv.kemerovo.su>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw aborts processing file/pipe when deletes nonexistent rule
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         43352
>Category:       kern
>Synopsis:       ipfw aborts processing file/pipe when deletes nonexistent rule
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 25 00:20:01 PDT 2002
>Closed-Date:    Tue Aug 24 18:25:30 GMT 2004
>Last-Modified:  Tue Aug 24 18:25:30 GMT 2004
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD www.svzserv.kemerovo.su 4.6-STABLE FreeBSD 4.6-STABLE #3: Wed Aug 21 17:38:41 KRAST 2002 eu@www.svzserv.kemerovo.su:/home4/obj/home3/src/sys/WWW i386

>Description:
	I have a complicated shaper configuration based on ipfw/dummynet,
	a description of my network policy written in custom language
	and a parser of that language that runs ipfw commands to implement
	the policy. As my net grows I see that running ipfw hundreds times
	is very inefficient so I'm trying to make my parser create plain
	file containing translation of my policy to a set of ipfw commands
	and then run ipfw with absolute path to generated file.

	This way ipfw fails to process the whole file because file starts
	with a set of 'delete' commands clearing rules that may or may not
	exist and freeing needed rule numbers. ipfw considers removing
	of nonexistent rule/pipe/queue as fatal error and quits.

>How-To-Repeat:
	
	rm /tmp/rc.ipfw
	echo delete 60000 >> /tmp/rc.ipfw
	echo list >> /tmp/rc.ipfw
	ipfw delete 60000

	ipfw /tmp/rc.ipfw
>Fix:

	Current behavour of ipfw exists from the beginning.
	Consider making removing/listing of nonexistent entities
	as not fatal error at least for packed processing.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Mon Oct 7 16:14:39 PDT 2002 
Responsible-Changed-Why:  
Refile this misfiled PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43352 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: luigi 
Responsible-Changed-When: Sun Nov 17 15:35:26 PST 2002 
Responsible-Changed-Why:  
remember to look at it. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=43352 

From: "Dorr H. Clark" <dclark@applmath.scu.edu>
To: freebsd-gnats-submit@FreeBSD.org, eugen@www.svzserv.kemerovo.su
Cc:  
Subject: Re: kern/43352: ipfw aborts processing file/pipe when deletes 
 nonexistent rule
Date: Wed, 12 May 2004 10:31:15 -0700

 The fix is presented:
 
 --- ipfw2.c.orig        Thu Feb 12 15:48:41 2004
 +++ ipfw2.c     Mon Mar 15 19:44:43 2004
 @@ -2125,7 +2125,10 @@
                         rulenum =  (i & 0xffff) | (do_set << 24);
                         i = do_cmd(IP_FW_DEL, &rulenum, sizeof rulenum);
                         if (i) {
 -                               exitval = EX_UNAVAILABLE;
 +                               //tolerate the non-existent entry
 deletion
 +                               if(errno != EINVAL)
 +                                       exitval = EX_UNAVAILABLE;
 +
                                 warn("rule %u: setsockopt(IP_FW_DEL)",
                                     rulenum);
                         }
 
 
 In order to address this problem, we intercept the non-existent
 entry deletion, print out a warning, and continue processing.
 
 This fix should be evaluated carefully to assure that it
 creates no new exploit.  The behavior could be made optional
 either compile time or runtime.
 
 Here is the analysis of the underlying call, justifying
 the fix as presented above:
 
 In the case of IP_FW_DEL, do_cmd() will use
 setsockopt() system call to delete a ipfw rule
 specified in the argument.  The setsockopt() will
 generate EINVAL if there is no existing open socket
 listening for that particular rule number.  The
 setsockopt man page states the following:
 
 [EINVAL]  Installing an accept_filter(9) on a
           non-listening socket was attempted.
 
 Budi Kusmiantoro, engineer
 Dorr H. Clark, advisor
 Graduate School of Engineering
 Santa Clara University

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc: luigi@freebsd.org, dclark@applmath.scu.edu
Subject: Re: kern/43352: ipfw aborts processing file/pipe when deletes nonexistent rule
Date: Sun, 8 Aug 2004 23:02:57 +0800

 Hi!
 
 I've solved described problem in another way.
 Now I use ipfw2 and its 'sets' of rules to delete rules at once.
 For queues/pipes I use 'ipfw pipe flush'. The problem is solved after all.
 
 So, Luigi, you may just close this PR or consider a patch proposed by
 Dorr H. Clark, as you wish.
 
 Eugene Grosbein
State-Changed-From-To: open->closed 
State-Changed-By: andre 
State-Changed-When: Tue Aug 24 18:25:04 GMT 2004 
State-Changed-Why:  
Close this PR upon Originators request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43352 
>Unformatted:
