kern/115755: [ipfw][patch] unify message and add a rule number
where limit was reached
Sergey Matveychuk
sem at FreeBSD.org
Thu Aug 23 07:40:12 PDT 2007
>Number: 115755
>Category: kern
>Synopsis: [ipfw][patch] unify message and add a rule number where limit was reached
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 23 14:40:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Sergey Matveychuk
>Release: 6.2-STABLE
>Organization:
Yandex
>Environment:
FreeBSD orange.yandex.net 6.2-STABLE FreeBSD 6.2-STABLE #6: Thu Aug 23 14:14:05 UTC 2007 root at orange.yandex.net:/usr/obj/usr/src/sys/ORANGE i386
>Description:
When you have a few rules with a limit you can't see which of them has been reached. Moreover all log entries starts from "ipfw: <number>", so stick to this form in the limit message.
>How-To-Repeat:
add a few rules with a limit. when limit will be reached, you'll see in log a line like this:
kernel: drop session 111.111.111.111:65373 -> 222.222.222.222:22, too many entries
You don't know what rule has been matched.
With the patch the line will look like this:
kernel: ipfw: 1500 drop session 111.111.111.111:65373 -> 222.222.222.222:22, too many entries
>Fix:
Patch attached with submission follows:
--- sys/netinet/ip_fw2.c.orig Thu Aug 23 13:19:37 2007
+++ sys/netinet/ip_fw2.c Thu Aug 23 14:12:49 2007
@@ -1591,7 +1591,8 @@
inet_ntoa_r(da, dst);
}
log(LOG_SECURITY | LOG_DEBUG,
- "%s %s:%u -> %s:%u, %s\n",
+ "ipfw: %d %s %s:%u -> %s:%u, %s\n",
+ parent->rule->rulenum,
"drop session",
src, (args->f_id.src_port),
dst, (args->f_id.dst_port),
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list