ipfw2: core dump with large { ip or ip2 } block
Luigi Rizzo
rizzo at icir.org
Tue Jul 1 05:47:14 PDT 2003
There is a somewhat arbitrary limit (imposed by /sbin/ipfw I believe)
of some 1KB for each ipfw2 rule. Surely /sbin/ipfw should terminate
gracefully rather than dumping core (and i think someone submitted
patches to fix this).
This said, however, I don't believe having such huge OR-blocks
are the best way to program the firewall, because the code
will have to sequentially scan the list. You'd be much better off
in splitting the list into smaller ones and jumping to them
using subnets, or if several of these addresses are on the
same /24 or smaller subnet, use the 1.2.3.4/24{1,40-50,76,99} type of
construct.
cheers
luigi
On Tue, Jul 01, 2003 at 01:20:38AM -0400, Tim Wilde wrote:
> When trying to add a rule with a very large (>>100 IPs) { ip or ip2 or ...
> } block with ipfw2 I run into a core dump - I looked through the manpage
> and couldn't find any reference to a limit of number of IPs in one rule
> with or, is there such a limit, or am I running into a bug? If so, how
> should I go about making a non-stripped ipfw binary so I can provide a
> useful backtrace? Thanks.
>
> Tim Wilde
>
> --
> Tim Wilde
> twilde at dyndns.org
> Systems Administrator
> Dynamic DNS Network Services
> http://www.dyndns.org/
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list