kern/69963: ipfw: install_state warning about already existing entry

System Administrator root at
Tue Aug 3 12:20:28 PDT 2004

>Number:         69963
>Category:       kern
>Synopsis:       ipfw: install_state warning about already existing entry
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 03 19:20:20 GMT 2004
>Originator:     Superuser
>Release:        FreeBSD 4.9-RELEASE-p3 i386
System: FreeBSD 4.9-RELEASE-p3 FreeBSD 4.9-RELEASE-p3 #2: Mon Aug 2 16:44:12 CEST 2004 root at i386


I installed the following ipfw2 rules (see below). The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at "me". And of those 32, only 4 per source. Like so:

ipfw add 1 check-state
ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32
ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4

Doing so, causes the console to be flooded with messages like these:

    "ipfw: install_state: entry already present, done"

It is this code in ip_fw2.c and ip_fw.c that prints the message:

 q = lookup_dyn_rule(&args->f_id, NULL, NULL);
 if (q != NULL) { /* should never occur */
  if (last_log != time_second) {
   last_log = time_second;
   printf("ipfw: install_state: entry already present, done\n");
  return 0;

	every time the rules in question hit

Since this seems to be a non-critical error (as it is just a matter of ignoring an already existing rule),
I commented out the line that does the printf, so as to avoid the repeated warnings. Needless to say,
this is not at all a real solution. In fact, it is no solution at all, just a suppressant.


More information about the freebsd-bugs mailing list