Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: One OR MORE of source and destination addresses?

0 views
Skip to first unread message

rhe...@bmts.com

unread,
Aug 3, 2004, 12:50:25 PM8/3/04
to

> I just took a look at the code:
>
> if (q != NULL) { /* should never occur */
> if (last_log != time_second) {
> last_log = time_second;
> printf("ipfw: install_state: entry already present, done\n");
> }
> return 0;
> }
>
> What if I just hack the "printf ..." line out of there? Would that 'solve'
> it? I know it's dirty; but would things still work?

I'll jump in here as a software manager and say NO!!!!!

Note, I have no idea if it will still work, but as a professional
programmer, the question raises a number of issues :-)

1. First of all, the original programmer took time to comment
this line:

if (q != NULL) { /* should never occur */

OK. There's no indication WHY it should never occur, but still, the comment
is there.

2. By adding this line:

if (last_log != time_second) {

He's limiting the printed errors to one every second, so you
are not beeing flooded with as many messages as are actually
ocurring.

Is last_log used anywhere else?

3. This line:

return 0;

will still return 0 if the error occurs, so the program will
work the same with or without the diagnostic message.

I'd do some more digging and find out exactly WHY this is a "should never
occur case" to be sure that the log is not needed. If you don't print
the log, then why do the test, except to return 0 :-)

Ralph


_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"

ad...@asarian-host.net

unread,
Aug 4, 2004, 1:08:39 AM8/4/04
to
Bill Moran wrote:

> How about using skipto instead of allow? Thus, if it passes the
> first one, it can just skipto the next rule to be checked. i.e.:
>
> ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
> ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4
>
> Thus, if rule 11 pases, it skips to rule 12. If it fails, it should
> reject as always. The end result is that a packet _must_ pass both
> rules to be allowed.

I spoke too soon. :( It seems this sort of rules evokes a bug:

http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html

My whole console is flooded with messages like these:

"ipfw: install_state: entry already present, done"

Is there a known patch?

Thanks,

- Mark

_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"


_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hacke...@freebsd.org"

0 new messages