ipfw: ouch!, skip past end of rules, denying packet
Oleg Bulyzhin
oleg at rinet.ru
Thu May 6 14:35:15 PDT 2004
On Thu, 6 May 2004, hugle wrote:
> OB> On Wed, 5 May 2004, hugle wrote:
>
> >> Hello all.
> >> I get such messages in dmesg:
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >> ipfw: ouch!, skip past end of rules, denying packet
> >>
> >> what is causing such messages ?
> >> google doesn't say anything..
> >> and one more thing..
> >> i've realised, that pipes doesn't give my banthiwith I should get
> >>
> >> instead of 100kbits i get ~70...
> >> insted of 156 i get ~100
> >> and so on..
> >> anyone have a clue whete to search?
> >>
>
> OB> What is your value of net.inet.ip.fw.one_pass sysctl variable?
>
>
> perl# sysctl net.inet.ip.fw.one_pass
> net.inet.ip.fw.one_pass: 0
i see.
There is a little bug (i'll PR it as soon i'll get enough time), you can
try attached patch(built on RELENG_4).
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
--
Oleg.
================================================================
=== Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg at rinet.ru ===
================================================================
-------------- next part --------------
--- sys/netinet/ip_dummynet.c~ Tue Dec 30 15:28:09 2003
+++ sys/netinet/ip_dummynet.c Wed May 5 21:41:09 2004
@@ -1378,7 +1378,6 @@
}
-extern struct ip_fw *ip_fw_default_rule ;
static void
dn_rule_delete_fs(struct dn_flow_set *fs, void *r)
{
@@ -1390,7 +1389,7 @@
for (q = fs->rq[i] ; q ; q = q->next )
for (pkt = q->head ; pkt ; pkt = DN_NEXT(pkt) )
if (pkt->rule == r)
- pkt->rule = ip_fw_default_rule ;
+ pkt->rule = lookup_next_rule(pkt->rule);
}
/*
* when a firewall rule is deleted, scan all queues and remove the flow-id
@@ -1415,7 +1414,7 @@
dn_rule_delete_fs(fs, r);
for (pkt = p->head ; pkt ; pkt = DN_NEXT(pkt) )
if (pkt->rule == r)
- pkt->rule = ip_fw_default_rule ;
+ pkt->rule = lookup_next_rule(pkt->rule);
}
}
--- sys/netinet/ip_fw.c~ Mon Jan 20 05:23:07 2003
+++ sys/netinet/ip_fw.c Wed May 5 21:53:06 2004
@@ -1023,9 +1023,7 @@
* Backward jumps are not allowed, so start looking from the next
* rule...
*/
-static struct ip_fw * lookup_next_rule(struct ip_fw *me);
-
-static struct ip_fw *
+struct ip_fw *
lookup_next_rule(struct ip_fw *me)
{
struct ip_fw *rule ;
@@ -2066,16 +2064,6 @@
return (error);
}
-/**
- * dummynet needs a reference to the default rule, because rules can
- * be deleted while packets hold a reference to them (e.g. to resume
- * processing at the next rule). When this happens, dummynet changes
- * the reference to the default rule (probably it could well be a
- * NULL pointer, but this way we do not need to check for the special
- * case, plus here he have info on the default behaviour.
- */
-struct ip_fw *ip_fw_default_rule ;
-
void
ip_fw_init(void)
{
@@ -2098,7 +2086,6 @@
add_entry(&ip_fw_chain_head, &default_rule))
panic("ip_fw_init");
- ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ;
printf("IP packet filtering initialized, "
#ifdef IPDIVERT
"divert enabled, "
--- sys/netinet/ip_fw.h~ Tue Jul 9 13:11:42 2002
+++ sys/netinet/ip_fw.h Wed May 5 21:47:21 2004
@@ -360,6 +360,7 @@
struct sockopt;
struct dn_flow_set;
void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */
+struct ip_fw * lookup_next_rule(struct ip_fw *me);
typedef int ip_fw_chk_t (struct ip_fw_args *args);
typedef int ip_fw_ctl_t (struct sockopt *);
--- sys/netinet/ip_fw2.c~ Fri Apr 2 21:15:44 2004
+++ sys/netinet/ip_fw2.c Wed May 5 21:44:55 2004
@@ -1221,7 +1221,7 @@
* pointers are flushed so we are always correct.
*/
-static struct ip_fw *
+struct ip_fw *
lookup_next_rule(struct ip_fw *me)
{
struct ip_fw *rule = NULL;
@@ -2721,15 +2721,6 @@
return (error);
}
-/**
- * dummynet needs a reference to the default rule, because rules can be
- * deleted while packets hold a reference to them. When this happens,
- * dummynet changes the reference to the default rule (it could well be a
- * NULL pointer, but this way we do not need to check for the special
- * case, plus here he have info on the default behaviour).
- */
-struct ip_fw *ip_fw_default_rule;
-
/*
* This procedure is only used to handle keepalives. It is invoked
* every dyn_keepalive_period
@@ -2793,7 +2784,6 @@
add_rule(&layer3_chain, &default_rule);
- ip_fw_default_rule = layer3_chain;
printf("ipfw2 initialized, divert %s, "
"rule-based forwarding enabled, default to %s, logging ",
#ifdef IPDIVERT
--- sys/netinet/ip_fw2.h~ Thu Jul 17 10:03:39 2003
+++ sys/netinet/ip_fw2.h Wed May 5 21:44:10 2004
@@ -413,6 +413,7 @@
struct dn_flow_set;
void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */
+struct ip_fw * lookup_next_rule(struct ip_fw *me);
typedef int ip_fw_chk_t (struct ip_fw_args *args);
typedef int ip_fw_ctl_t (struct sockopt *);
More information about the freebsd-ipfw
mailing list