NetBSD Problem Report #47850

From christos@zoulas.com  Thu May 23 21:32:09 2013
Return-Path: <christos@zoulas.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 8AE3E71927
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 23 May 2013 21:32:09 +0000 (UTC)
Message-Id: <20130523213206.20C0797129@rebar.astron.com>
Date: Thu, 23 May 2013 21:32:06 +0000 (UTC)
From: christos@netbsd.org
Reply-To: christos@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: ipfstat is broken.
X-Send-Pr-Version: 3.95

>Number:         47850
>Category:       bin
>Synopsis:       ipfstat does not list all the rules anymore
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 23 21:35:00 +0000 2013
>Last-Modified:  Sun Jun 15 12:20:00 +0000 2014
>Originator:     Christos Zoulas
>Release:        NetBSD 6.99.20
>Organization:
	Entropy Unlimited, Ltd.
>Environment:
NetBSD quasar.astron.com 6.99.20 NetBSD 6.99.20 (QUASAR) #3: Thu May 23 09:30:24 EDT 2013  christos@quasar.astron.com:/usr/src/sys/arch/amd64/compile/QUASAR amd64
Architecture: x86_64
Machine: amd64
>Description:
	ipf loads the rules properly but ipfstat does not list them.

>How-To-Repeat:
0 root:wheel@t61//etc/ipf.d#  ipf -vf /tmp/ipf.conf 
block in log quick on iwn0(!) all head 600
block in quick inet from any to 10.0.0.0/25 port = 137 group 600
block in quick inet from 0.0.0.0/32 port = 68 to 255.255.255.255/32 port = 67 group
 600
block in log quick inet from 10.0.0.0/8 to any group 600
block in log quick inet from 192.168.0.0/16 to any group 600
block in log quick inet from 172.16.0.0/12 to any group 600
block in log quick inet from 127.0.0.0/8 to any group 600
block in log quick inet from 0.0.0.0/8 to any group 600
block in log quick inet from 169.254.0.0/16 to any group 600
block in log quick inet from 192.0.2.0/24 to any group 600
block in log quick inet from x.y.64.0/23 to any group 600
block in log quick inet from 224.0.0.0/3 to any group 600
block in log quick inet from 10.0.0.8/32 to any group 600
block in log quick inet from any to 10.0.0.0/32 group 600
block in log quick inet from any to 10.0.0.127/32 group 600
pass in log quick inet proto udp from any to 10.0.0.8/32 port = ntalk keep state gr
oup 600 # count 0
block in log first quick inet proto tcp from any to 10.0.0.8/32 port = smtp flags S
/FSRPAU keep state keep frags head 620 group 600 # count 0
pass in quick inet proto tcp from x.y.139.172/32 to 10.0.0.8/32 port = smtp flag
s S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.140.215/32 to 10.0.0.8/32 port = smtp flag
s S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.220.129/32 to 10.0.0.8/32 port = smtp flags
 S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.7.79/32 to 10.0.0.8/32 port = smtp flags S/F
SRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.21.145/32 to 10.0.0.8/32 port = smtp flags S
/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.220.129/32 to 10.0.0.8/32 port = ssh flags 
S/FSRPAU keep state keep frags group 600 # count 0
pass in quick inet proto udp from x.y.220.129/32 to 10.0.0.8/32 port = ssh keep s
tate group 600 # count 0
pass in quick inet proto tcp from x.y.140.215/32 to 10.0.0.8/32 port = ssh flags
 S/FSRPAU keep state keep frags group 600 # count 0
pass in quick inet proto udp from x.y.140.215/32 to 10.0.0.8/32 port = ssh keep 
state group 600 # count 0
pass in quick inet proto udp from x.y.220.129/32 to 10.0.0.8/32 port = 58800 grou
p 600
pass in quick inet proto udp from x.y.139.172/32 to 10.0.0.8/32 port = 58800 gro
up 600
pass in quick inet proto udp from x.y.140.215/32 to 10.0.0.8/32 port = 58800 gro
up 600
block in quick inet proto icmp from any to 10.0.0.8/32 group 600
block in quick inet proto tcp from any to 10.0.0.8/32 group 600
block in quick inet proto udp from any to 10.0.0.8/32 group 600
block out log quick on iwn0(!) all head 650
block out log quick inet from any to 10.0.0.0/8 group 650
block out log quick inet from any to 192.168.0.0/16 group 650
block out log quick inet from any to 172.16.0.0/12 group 650
block out log quick inet from any to 127.0.0.0/8 group 650
block out log quick inet from any to 0.0.0.0/8 group 650
block out log quick inet from any to 169.254.0.0/16 group 650
block out log quick inet from any to 192.0.2.0/24 group 650
block out log quick inet from any to x.y.64.0/23 group 650
block out log quick inet from any to 224.0.0.0/3 group 650
pass out quick inet proto tcp from 10.0.0.8/32 to any port = nntp flags S/SA keep s
tate keep frags group 650 # count 0
pass out quick inet proto tcp from 10.0.0.8/32 to any port = mmcc flags S/SA keep s
tate keep frags group 650 # count 0
pass out quick inet proto tcp from 10.0.0.8/32 to any flags S/FSRPAU keep state kee
p frags group 650 # count 0
pass out quick inet proto udp from 10.0.0.8/32 to any keep state group 650 # count 
0
pass out quick inet proto icmp from 10.0.0.8/32 to any keep state group 650 # count
 0
0 root:wheel@t61//etc/ipf.d# ipfstat -ion
@1 block out log quick on iwn0 all head 650
@1 block in log quick on iwn0 all head 600


>Fix:

Please try this patch.

--- src/external/bsd/ipf/dist/tools/ipfstat.c.orig     Mon Jul 23 12:15:16 2012
+++ src/external/bsd/ipf/dist/tools/ipfstat.c Tue Oct 16 07:46:05 2012
@@ -906,6 +906,12 @@
 		}
 	}

+	while ((g = grtop) != NULL) {
+		printlivelist(fiop, out, set, NULL, g->fg_name, comment);
+		grtop = g->fg_next;
+		free(g);
+	}
+
 	num = IPFGENITER_IPF;
 	(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);



>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: darrenr@NetBSD.org
Responsible-Changed-When: Thu, 20 Jun 2013 14:56:46 +0000
Responsible-Changed-Why:
not kernel problem


From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org
Cc: 
Subject: Re: kern/47850: ipfstat is broken.
Date: Wed, 14 May 2014 20:08:59 +0900

 > Synopsis:       ipfstat does not list all the rules anymore

 The patch provided in http://gnats.netbsd.org/47850
 causes infinite recursive call and dump core.
 This should do like as netbsd-6's ipfstat does.

 Index: src/external/bsd/ipf/dist/tools/ipfstat.c
 ===================================================================
 RCS file: /cvsroot/src/external/bsd/ipf/dist/tools/ipfstat.c,v
 retrieving revision 1.3
 diff -u -p -r1.3 ipfstat.c
 --- src/external/bsd/ipf/dist/tools/ipfstat.c	22 Jul 2012 14:27:51 -0000	1.3
 +++ src/external/bsd/ipf/dist/tools/ipfstat.c	7 Feb 2014 12:12:28 -0000
 @@ -916,6 +916,16 @@ printlivelist(fiop, out, set, fp, group,
   		}
   	} while (fp->fr_next != NULL);

 +	if (group == NULL) {
 +		while ((g = grtop) != NULL) {
 +			printf("# Group %s\n", g->fg_name);
 +			printlivelist(fiop, out, set, NULL, g->fg_name,
 +					comment);
 +			grtop = g->fg_next;
 +			free(g);
 +		}
 +	}
 +
   	num = IPFGENITER_IPF;
   	(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);


 -- 
 t-hash

From: Darren Reed <darrenr@fastmail.net>
To: gnats-bugs@NetBSD.org, ipf-bug-people@netbsd.org, 
 gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, christos@netbsd.org
Cc: 
Subject: Re: kern/47850: ipfstat is broken.
Date: Sun, 15 Jun 2014 22:15:19 +1000

 Patches for ipfilter to fix it on sparc64 and in general have been
 posted to tech-net@netbsd.org.

 Darren

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.