From owner-FreeBSD-users-jp@jp.FreeBSD.org Wed Dec 20 00:32:16 2006
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id kBJFWGD35130;
	Wed, 20 Dec 2006 00:32:16 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mail.asahi-net.or.jp (mail1.asahi-net.or.jp [202.224.39.197])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id kBJFWGw35124
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Wed, 20 Dec 2006 00:32:16 +0900 (JST)
	(envelope-from CQG00620@nifty.ne.jp)
Received: from asahi-net.jp (l205173.ppp.asahi-net.or.jp [218.219.205.173])
	by mail.asahi-net.or.jp (Postfix) with ESMTP id CB787272BC
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Wed, 20 Dec 2006 00:32:15 +0900 (JST)
From: Watanabe Kazuhiro <CQG00620@nifty.ne.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
In-Reply-To: <200612180641.AA00276@POLYMER5.scphys.kyoto-u.ac.jp>
References: <200612180641.AA00276@POLYMER5.scphys.kyoto-u.ac.jp>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8
 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/20.7 (i386--freebsd) MULE/4.0
 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=ISO-2022-JP
Message-Id: <20061219153215.CB787272BC@mail.asahi-net.or.jp>
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 20 Dec 2006 00:32:15 +0900
X-Sequence: FreeBSD-users-jp 90232
Subject: [FreeBSD-users-jp 90232] Re: /etc/periodic/security/550.ipfwlimit
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: CQG00620@nifty.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$BEOJU0l42$G$9!#%I%-%e%a%s%H$H%=!<%9$r8+$?$@$1$G%j%W%i%$$7$^$9!#(B

At Mon, 18 Dec 2006 15:41:41 +0900,
Tsurutani Naoki wrote:
> ipfw$B$G$N%m%0$N%l%]!<%H$K$D$$$F!"5?Ld$,$"$j$^$9!#(B
> PR conf/96247$B$K=q$$$?$N$G$9$,!"0l8~$K=$@5$5$l$J$$$N$G!"(B
> $B;d$NM}2rITB-$+$HIT0B$K$J$C$F$-$^$7$?!#(B
> 
> % sysctl net.inet.ip.fw.verbose
> net.inet.ip.fw.verbose: 1
> % sysctl net.inet.ip.fw.verbose_limit
> net.inet.ip.fw.verbose_limit: 0
> $B$J>uBV$G!"(B
> deny log ip from any to 172.16.0.0/12 via xl0
> $B$N$h$&$J%k!<%k$KBP$7!"%m%0$,5-O?$5$l$^$9!#(B
> 
> $B$=$N%m%0$K$D$$$F!"(Bperiodic$B$N(Bsecurity/550.ipfwlimit$B$G>e8B$KC#$7$?$+$I$&$+$,(B
> $B%l%]!<%H$5$l$^$9$,!">e=R$N$h$&$K(Blimit=0$B$N>l9g!"I,$:!V>e8B$KC#$7$?!W;]$N(B
> $B%l%]!<%H$,FO$-$^$9!#(B
> limit=0$B$N>l9g!">e8B$J$7!"$H2r<a$5$l$k$H;W$C$F$$$k$N$G(B(man page$B$K$O$=$&=q$+$l$F$$$^$9(B)$B!"(B
> $B$3$l$O$*$+$7$$$H;W$&$N$G$9$,!"(BPR$B$G$O<h$j9g$C$F$b$i$($^$;$s$G$7$?!#(B
> 
> $B;d$N2r<a$,4V0c$C$F$^$9$G$7$g$&$+!)(B

($BDaC+$5$s$b(B PR $B$N(B 2 $B2sL\$N%3%a%s%H$G?($l$F$$$^$9$,(B) $BMW$O(B ipfw(8) $B$K(B
$B$"$k$h$&$K!"(B

(1) "ipfw log XXX ..." $B$N$h$&$K>e8B(B XXX $B$r%k!<%k$G;XDj$5$l$l$P!"(B
    $B$=$NCM$r;H$&!#(B
(2) $B%k!<%k$G>e8B$r;XDj$5$l$J$1$l$P!"(Bsysctl(8) $BJQ?t$N(B
    net.inet.ip.fw.verbose_limit $B$NCM$r;H$&!#(B
(3) $B$I$A$i$K$7$F$b!"CM$,(B 0 $B$J$i$P>e8BL5$7$K$J$k!#(B

$B$H$$$&2r<a$GNI$$$H;W$$$^$9!#(B


$B$?$@!"@hJ}$ODaC+$5$s$,(B PR $B$G:G=i$KDs<($7$?%Q%C%A$r8+$F!"(B

> net.inet.ip.fw.verbose_limit: 0

$B$H$$$&@_Dj$J$iL5>r7o$K>e8BL5$7$K$J$k!"$HDaC+$5$s$,;W$C$F$$$k$H4*0c$$$7(B
$B$?$h$&$K;W$($^$9!#$@$+$i(B

| Why: This is not a bug: if net.inet.ip.fw.verbose_limit=0 but rules
| specify a limit, this limit has the priority since it's a specific
| setting that overrides a general one.

$B$N$h$&$K%3%a%s%H$7$?$N$G$7$g$&!#:G=i$N%Q%C%A$G$O(B

> net.inet.ip.fw.verbose_limit: 0

$B$H$$$&@_Dj$G!"$+$D%k!<%k$G>e8B$r@_Dj$5$l$?>l9g$K$OBP1~$G$-$^$;$s$+$i!#(B


2 $B2sL\$KDs<($5$l$?%Q%C%A$J$i$P!"=jK>$NF0:n$K$O$J$j$=$&$G$9!#$?$@(B 
ipfw(8) $B$N%=!<%9(B (ipfw2.c) $B$r8+$k$H!"(B

|| static void
|| show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
|| {
($BCfN,(B)
||         if (logptr) {
||                 if (logptr->max_log > 0)
||                         printf(" log logamount %d", logptr->max_log);
||                 else
||                         printf(" log");
||         }

$B$H$J$C$F$$$k$N$G!"(B

|                  '{if ($6 == "logamount") {
| -                        if ($2 > $7)
| +                        if ($7 != 0 && $2 > $7)
|                                  {print $0}

$B$NItJ,$OITMW$G!"(B

|                  } else {
| -                        if ($2 > limit)
| +                        if (limit != 0 && $2 > limit)
|                                  {print $0}}

$B$@$1$GNI$$$N$G$O$J$$$G$7$g$&$+!#(B


$B$"$H!"7o$N(B PR $B$O(B

| Why: Re-open to look at this PR again: submitter is sure this is a
| bug, so I'll look at this again.

$B$H$$$&$3$H$G:FEY(B open $B$K$J$C$F$^$9$+$i!"C1$KK:$l$i$l$F$$$k$+!"8e2s$7$K(B
$B$5$l$F$$$k$+$N$I$A$i$+$G$O$J$$$G$7$g$&$+!#>e5-$N$h$&$K4*0c$$$5$l$F$$$J(B
$B$1$l$P!"3d$H$9$s$J$j(B commit $B$5$l$k$h$&$J5$$b$7$^$9!#(B
---
Watanabe Kazuhiro (CQG00620@nifty.ne.jp)
