One OR MORE of source and destination addresses?

Mark admin at asarian-host.net
Tue Aug 3 11:33:30 PDT 2004


Bill Moran wrote:

>>> My whole console is flooded with messages like these:
>>>
>>>     "ipfw: install_state: entry already present, done"
>>>
>>> Is there a known patch?
>>
>> I just took a look at the code:
>>
>>  if (q != NULL) { /* should never occur */
>>   if (last_log != time_second) {
>>    last_log = time_second;
>>    printf("ipfw: install_state: entry already present, done\n");
>>   }
>>   return 0;
>>  }
>>
>> What if I just hack the "printf ..." line out of there? Would that
>> 'solve' it? I know it's dirty; but would things still work?
>
> Theoretically, yes (note that I'm certainly no expert on this chunk of
> code)  My reason for saying yes is:
> 1) The error seems to be that IPFW is trying to add the same stateful
>    rule twice ... which means it _did_ get successfully added once.
> 2) When that condition occurs, the function returns 0.  The comment at
>    the top of the file states that the function returns 1 on failure,
>    so it would appear that this condition is still considered
> successful.

Thank you for taking the time to look into this.

Yes, my reason for thinking "yes" was the same. It seems there are critical
errors, such as "Too many dynamic rules", returning 1, and, say, unexpected
errors, like when trying to create a rule that already exists, returning 0.

Since the rule actually seems to be working (limiting total connection to
32, and only 4 per source), just commenting out the printf statement seems
like a harmless, be it very dirty, "solution".

Indeed, this should probably be fixed; and I will file a PR tonight.

- Mark



More information about the freebsd-questions mailing list