Luigi Rizzo wrote: > On Fri, Oct 11, 2002 at 12:46:36AM -0400, abe wrote: > ... > > Unfortunately, feedback sent while in good intentions did not > > help. However, in further tinkering with this issue I believe I've > > come to a conclusion. I run a rather high-traffic server so I had > > initially increased net.inet.ip.fw.dyn_buckets to 500, from the > > default 256 > > ah... i think the bucket size has to be a power of two (and I thought > the kernel would check that the value is correct, but i might have missed > something).
It does check. There's a bug in the allocation code, though, where if it fails the allocation, it can take something that was working, and make it non-working. It can also fail the initial allocation, and drop into the rest of the code, if the value is changed before the startup. See my last posting for a patch for these. I still think the problem is related to the number of requests on a particular UDP socket from too many sources: the failure is in the UDP send path for dynamic rule insertion, which imlies that it's a UDP response. Probably, you could use this to get a packet in that you shouldn't be able to get in, BTW, by abusing a response from an allowed request to make an illegal request (I'm not that into the ipfw code, though). -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
