Re: ipfstat not clearing the state table - a similar problem?
This is a discussion on Re: ipfstat not clearing the state table - a similar problem? within the IPFilter forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --------------060408060505050409080603 Content-Type: text/plain; charset=ISO-8859-1; format=flowed ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-09-2006
|
|||
|
|||
Re: ipfstat not clearing the state table - a similar problem?
This is a multi-part message in MIME format.
--------------060408060505050409080603 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit In order to analyse this problem some more... There is a patch attached to this email that will keep "orphans" in the linked list of state entries but will remove them from the state table (lookups will not find them.) Output from "ipfstat -sl" will prepend the word "ORPHAN" to the first line of an entry, should it encounter one... Darren --------------060408060505050409080603 Content-Type: text/plain; name="orph.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="orph.patch" Index: ip_state.c ================================================== ================= RCS file: /devel/CVS/IP-Filter/ip_state.c,v retrieving revision 2.186.2.49 diff -c -r2.186.2.49 ip_state.c *** ip_state.c 28 Oct 2006 06:56:03 -0000 2.186.2.49 --- ip_state.c 8 Dec 2006 04:20:13 -0000 *************** *** 128,134 **** static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *)); static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); ! static void fr_delstate __P((ipstate_t *, int)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t *, u_int)); static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *)); --- 128,134 ---- static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *)); static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); ! static int fr_delstate __P((ipstate_t *, int)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t *, u_int)); static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *)); *************** *** 301,307 **** ipstate_t *is; while ((is = ips_list) != NULL) ! fr_delstate(is, 0); /* * Proxy timeout queues are not cleaned here because although they --- 301,307 ---- ipstate_t *is; while ((is = ips_list) != NULL) ! fr_delstate(is, ISL_UNLOAD); /* * Proxy timeout queues are not cleaned here because although they *************** *** 2838,2844 **** /* and timeout queue lists. Make adjustments to hash table statistics and */ /* global counters as required. */ /* ------------------------------------------------------------------------ */ ! static void fr_delstate(is, why) ipstate_t *is; int why; { --- 2838,2844 ---- /* and timeout queue lists. Make adjustments to hash table statistics and */ /* global counters as required. */ /* ------------------------------------------------------------------------ */ ! static int fr_delstate(is, why) ipstate_t *is; int why; { *************** *** 2849,2864 **** * Since we want to delete this, remove it from the state table, * where it can be found & used, first. */ - if (is->is_pnext != NULL) { - *is->is_pnext = is->is_next; - - if (is->is_next != NULL) - is->is_next->is_pnext = is->is_pnext; - - is->is_pnext = NULL; - is->is_next = NULL; - } - if (is->is_phnext != NULL) { *is->is_phnext = is->is_hnext; if (is->is_hnext != NULL) --- 2849,2854 ---- *************** *** 2904,2910 **** */ is->is_ref--; if (is->is_ref > 0) ! return; if (is->is_tqehead[0] != NULL) { if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0) --- 2894,2900 ---- */ is->is_ref--; if (is->is_ref > 0) ! return is->is_ref; if (is->is_tqehead[0] != NULL) { if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0) *************** *** 2923,2928 **** --- 2913,2931 ---- (void) ipsc_detachis(is); #endif + /* + * Now remove it from the linked list of known states + */ + if (is->is_pnext != NULL) { + *is->is_pnext = is->is_next; + + if (is->is_next != NULL) + is->is_next->is_pnext = is->is_pnext; + + is->is_pnext = NULL; + is->is_next = NULL; + } + if (ipstate_logging != 0 && why != 0) ipstate_log(is, why); *************** *** 2939,2944 **** --- 2942,2949 ---- MUTEX_DESTROY(&is->is_lock); KFREE(is); ips_num--; + + return 0; } *************** *** 3056,3063 **** } if (delete) { ! fr_delstate(is, ISL_FLUSH); ! removed++; } else isp = &is->is_next; } --- 3061,3070 ---- } if (delete) { ! if (fr_delstate(is, ISL_FLUSH) == 0) ! removed++; ! else ! isp = &is->is_next; } else isp = &is->is_next; } *************** *** 3104,3111 **** break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! fr_delstate(is, ISL_EXPIRE); ! removed++; } } --- 3111,3118 ---- break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! if (fr_delstate(is, ISL_EXPIRE) == 0) ! removed++; } } *************** *** 3118,3125 **** break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! fr_delstate(is, ISL_EXPIRE); ! removed++; } } if (try + interval > maxtick) --- 3125,3132 ---- break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! if (fr_delstate(is, ISL_EXPIRE) == 0) ! removed++; } } if (try + interval > maxtick) Index: lib/printstate.c ================================================== ================= RCS file: /devel/CVS/IP-Filter/lib/printstate.c,v retrieving revision 1.11.2.9 diff -c -r1.11.2.9 printstate.c *** lib/printstate.c 14 Jul 2006 06:12:27 -0000 1.11.2.9 --- lib/printstate.c 8 Dec 2006 04:19:32 -0000 *************** *** 17,22 **** --- 17,24 ---- { synclist_t ipsync; + if (sp->is_phnext == NULL) + PRINTF("ORPHAN "); PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4)); PRINTF("%s pass %#x pr %d state %d/%d bkt %d\n", hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p, --------------060408060505050409080603-- 
|
Linear Mode
