ipfw: install_state: entry already present, done

[Oleg Bulyzhin]

Hi!

install_state() (in ip_fw2.c/RELENG_4) has following code:

if (q != NULL) { /* should never occur */
	if (last_log != time_second) {
		last_log = time_second;
		printf("ipfw: install_state: entry already present, done
\n");
	}
	return 0;
}

(similar code is in ip_fw.c and in CURRENT)

You can get such messages using this rules:

ipfw add 10 skipto 20 tcp from any to any setup keep-state
ipfw add 20 allow tcp from any to any setup keep-state

This example is quite useless but there are _valid_ situations when you get
your logs spammed with this error.

For example i want to pass tcp connections to limited set of destination hosts
and total number of client's tcp sessions should be limited.

Ruleset might be like this (10.0.0.0/24 - client's network):

10	check-state
20	skipto 100 tcp from 10.0.0.0/24 to 192.168.0.1 setup keep-state
20	skipto 100 tcp from 10.0.0.0/24 to 192.168.0.2 setup keep-state
20	skipto 100 tcp from 10.0.0.0/24 to 192.168.0.3 setup keep-state
50	reset tcp from 10.0.0.0/24 to any
100	allow tcp from 10.0.0.0/24 to any setup limit src-addr 16

as result you will get the error for every client's tcp SYN packet to the
allowed host (well, highest rate possible is 1 message/sec).

I think install_state() should store cmd->o.opcode in static variable and
error message should be printed only if current opcode or previous opcode
equal to O_KEEP_STATE (cause chained keep-state rules are useless but, i think,
chained limit rules may be useful).


Any comments?

-- 
Oleg.

================================================================
=== Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg at rinet.ru ===
================================================================