NetBSD Problem Report #47850
From christos@zoulas.com Thu May 23 21:32:09 2013
Return-Path: <christos@zoulas.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8AE3E71927
for <gnats-bugs@gnats.NetBSD.org>; Thu, 23 May 2013 21:32:09 +0000 (UTC)
Message-Id: <20130523213206.20C0797129@rebar.astron.com>
Date: Thu, 23 May 2013 21:32:06 +0000 (UTC)
From: christos@netbsd.org
Reply-To: christos@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: ipfstat is broken.
X-Send-Pr-Version: 3.95
>Number: 47850
>Category: bin
>Synopsis: ipfstat does not list all the rules anymore
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: ipf-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu May 23 21:35:00 +0000 2013
>Last-Modified: Sun Jun 15 12:20:00 +0000 2014
>Originator: Christos Zoulas
>Release: NetBSD 6.99.20
>Organization:
Entropy Unlimited, Ltd.
>Environment:
NetBSD quasar.astron.com 6.99.20 NetBSD 6.99.20 (QUASAR) #3: Thu May 23 09:30:24 EDT 2013 christos@quasar.astron.com:/usr/src/sys/arch/amd64/compile/QUASAR amd64
Architecture: x86_64
Machine: amd64
>Description:
ipf loads the rules properly but ipfstat does not list them.
>How-To-Repeat:
0 root:wheel@t61//etc/ipf.d# ipf -vf /tmp/ipf.conf
block in log quick on iwn0(!) all head 600
block in quick inet from any to 10.0.0.0/25 port = 137 group 600
block in quick inet from 0.0.0.0/32 port = 68 to 255.255.255.255/32 port = 67 group
600
block in log quick inet from 10.0.0.0/8 to any group 600
block in log quick inet from 192.168.0.0/16 to any group 600
block in log quick inet from 172.16.0.0/12 to any group 600
block in log quick inet from 127.0.0.0/8 to any group 600
block in log quick inet from 0.0.0.0/8 to any group 600
block in log quick inet from 169.254.0.0/16 to any group 600
block in log quick inet from 192.0.2.0/24 to any group 600
block in log quick inet from x.y.64.0/23 to any group 600
block in log quick inet from 224.0.0.0/3 to any group 600
block in log quick inet from 10.0.0.8/32 to any group 600
block in log quick inet from any to 10.0.0.0/32 group 600
block in log quick inet from any to 10.0.0.127/32 group 600
pass in log quick inet proto udp from any to 10.0.0.8/32 port = ntalk keep state gr
oup 600 # count 0
block in log first quick inet proto tcp from any to 10.0.0.8/32 port = smtp flags S
/FSRPAU keep state keep frags head 620 group 600 # count 0
pass in quick inet proto tcp from x.y.139.172/32 to 10.0.0.8/32 port = smtp flag
s S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.140.215/32 to 10.0.0.8/32 port = smtp flag
s S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.220.129/32 to 10.0.0.8/32 port = smtp flags
S/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.7.79/32 to 10.0.0.8/32 port = smtp flags S/F
SRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.21.145/32 to 10.0.0.8/32 port = smtp flags S
/FSRPAU keep state keep frags group 620 # count 0
pass in quick inet proto tcp from x.y.220.129/32 to 10.0.0.8/32 port = ssh flags
S/FSRPAU keep state keep frags group 600 # count 0
pass in quick inet proto udp from x.y.220.129/32 to 10.0.0.8/32 port = ssh keep s
tate group 600 # count 0
pass in quick inet proto tcp from x.y.140.215/32 to 10.0.0.8/32 port = ssh flags
S/FSRPAU keep state keep frags group 600 # count 0
pass in quick inet proto udp from x.y.140.215/32 to 10.0.0.8/32 port = ssh keep
state group 600 # count 0
pass in quick inet proto udp from x.y.220.129/32 to 10.0.0.8/32 port = 58800 grou
p 600
pass in quick inet proto udp from x.y.139.172/32 to 10.0.0.8/32 port = 58800 gro
up 600
pass in quick inet proto udp from x.y.140.215/32 to 10.0.0.8/32 port = 58800 gro
up 600
block in quick inet proto icmp from any to 10.0.0.8/32 group 600
block in quick inet proto tcp from any to 10.0.0.8/32 group 600
block in quick inet proto udp from any to 10.0.0.8/32 group 600
block out log quick on iwn0(!) all head 650
block out log quick inet from any to 10.0.0.0/8 group 650
block out log quick inet from any to 192.168.0.0/16 group 650
block out log quick inet from any to 172.16.0.0/12 group 650
block out log quick inet from any to 127.0.0.0/8 group 650
block out log quick inet from any to 0.0.0.0/8 group 650
block out log quick inet from any to 169.254.0.0/16 group 650
block out log quick inet from any to 192.0.2.0/24 group 650
block out log quick inet from any to x.y.64.0/23 group 650
block out log quick inet from any to 224.0.0.0/3 group 650
pass out quick inet proto tcp from 10.0.0.8/32 to any port = nntp flags S/SA keep s
tate keep frags group 650 # count 0
pass out quick inet proto tcp from 10.0.0.8/32 to any port = mmcc flags S/SA keep s
tate keep frags group 650 # count 0
pass out quick inet proto tcp from 10.0.0.8/32 to any flags S/FSRPAU keep state kee
p frags group 650 # count 0
pass out quick inet proto udp from 10.0.0.8/32 to any keep state group 650 # count
0
pass out quick inet proto icmp from 10.0.0.8/32 to any keep state group 650 # count
0
0 root:wheel@t61//etc/ipf.d# ipfstat -ion
@1 block out log quick on iwn0 all head 650
@1 block in log quick on iwn0 all head 600
>Fix:
Please try this patch.
--- src/external/bsd/ipf/dist/tools/ipfstat.c.orig Mon Jul 23 12:15:16 2012
+++ src/external/bsd/ipf/dist/tools/ipfstat.c Tue Oct 16 07:46:05 2012
@@ -906,6 +906,12 @@
}
}
+ while ((g = grtop) != NULL) {
+ printlivelist(fiop, out, set, NULL, g->fg_name, comment);
+ grtop = g->fg_next;
+ free(g);
+ }
+
num = IPFGENITER_IPF;
(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: darrenr@NetBSD.org
Responsible-Changed-When: Thu, 20 Jun 2013 14:56:46 +0000
Responsible-Changed-Why:
not kernel problem
From: Takahiro HAYASHI <t.hash425@gmail.com>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org
Cc:
Subject: Re: kern/47850: ipfstat is broken.
Date: Wed, 14 May 2014 20:08:59 +0900
> Synopsis: ipfstat does not list all the rules anymore
The patch provided in http://gnats.netbsd.org/47850
causes infinite recursive call and dump core.
This should do like as netbsd-6's ipfstat does.
Index: src/external/bsd/ipf/dist/tools/ipfstat.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ipf/dist/tools/ipfstat.c,v
retrieving revision 1.3
diff -u -p -r1.3 ipfstat.c
--- src/external/bsd/ipf/dist/tools/ipfstat.c 22 Jul 2012 14:27:51 -0000 1.3
+++ src/external/bsd/ipf/dist/tools/ipfstat.c 7 Feb 2014 12:12:28 -0000
@@ -916,6 +916,16 @@ printlivelist(fiop, out, set, fp, group,
}
} while (fp->fr_next != NULL);
+ if (group == NULL) {
+ while ((g = grtop) != NULL) {
+ printf("# Group %s\n", g->fg_name);
+ printlivelist(fiop, out, set, NULL, g->fg_name,
+ comment);
+ grtop = g->fg_next;
+ free(g);
+ }
+ }
+
num = IPFGENITER_IPF;
(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
--
t-hash
From: Darren Reed <darrenr@fastmail.net>
To: gnats-bugs@NetBSD.org, ipf-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, christos@netbsd.org
Cc:
Subject: Re: kern/47850: ipfstat is broken.
Date: Sun, 15 Jun 2014 22:15:19 +1000
Patches for ipfilter to fix it on sparc64 and in general have been
posted to tech-net@netbsd.org.
Darren
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.