Stiamo usando ipfw in OSX 10.6 Server, 10.7 Server ... tutto funziona bene finché non aggiungiamo troppe regole, penso.
ipfw funzionerà ancora, ma elaborerà solo un certo numero di regole.
Attualmente wc -l /etc/ipfilter/ipfw.conf fornisce 10486.
ipfw sta dando una Abort Trap dopo l'elaborazione parziale del file /etc/ipfilter/ipfw.conf. Sembra che il limite predefinito del numero di regole sia inferiore a 10486.
Abbiamo cercato una risposta esaustiva e siamo giunti alla conclusione che per aumentare questo limite dovremmo usare sysctl -w net.inet.ip.fw.dyn_max = A LARGER NUMBER.
Abbiamo provato:
sh-3.2# sysctl -w net.inet.ip.fw.dyn_max=32768
net.inet.ip.fw.dyn_max: 4096 -> 32768
ma Abort Trap si verifica ancora con lo stesso numero di riga in /etc/ipfilter/ipfw.conf. Non fa differenza.
Ecco cosa c'è in Console:
Process: Line 9999 [92737]
Path: /sbin/ipfw
Identifier: Line 9999
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: running job [92734]
Date/Time: 2017-01-01 06:14:05.155 +0800
OS Version: Mac OS X Server 10.6.4 (10F616)
Report Version: 6
Anonymous UUID: A34B328D-1392-4E66-AE5A-A1AAD361FB0F
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Application Specific Information:
__abort() called
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 libSystem.B.dylib 0x00007fff818b83d6 __kill + 10
1 libSystem.B.dylib 0x00007fff81958913 __abort + 103
2 libSystem.B.dylib 0x00007fff8194d157 mach_msg_receive + 0
3 libSystem.B.dylib 0x00007fff818ab898 __sprintf_chk + 196
4 ipfw 0x000000010000829c 0x100000000 + 33436
5 ipfw 0x00000001000016a0 0x100000000 + 5792
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x00007fff5fbff830 rcx: 0x00007fff5fbff828 rdx: 0x0000000000000000
rdi: 0x0000000000016a41 rsi: 0x0000000000000006 rbp: 0x00007fff5fbff850 rsp: 0x00007fff5fbff828
r8: 0x0000000000000001 r9: 0x0000000100100ec0 r10: 0x00007fff818b4412 r11: 0x0000000000000206
r12: 0x00007fff702d0ec0 r13: 0x00007fff5fbff9c0 r14: 0x00007fff702c25c0 r15: 0x00007fff5fbffdc0
rip: 0x00007fff818b83d6 rfl: 0x0000000000000206 cr2: 0x000000002bcb1000
Binary Images:
0x100000000 - 0x10000afff +ipfw ??? (???) <54351948-0FF7-75DA-5974-ECA1CE04565A> /sbin/ipfw
0x7fff5fc00000 - 0x7fff5fc3bdef dyld 132.1 (???) <B536F2F1-9DF1-3B6C-1C2C-9075EA219A06> /usr/lib/dyld
0x7fff81869000 - 0x7fff81a29fef libSystem.B.dylib 125.2.0 (compatibility 1.0.0) <95E02DD0-ADEA-745B-E7FA-ABA064E4658C> /usr/lib/libSystem.B.dylib
0x7fff83937000 - 0x7fff8393bff7 libmathCommon.A.dylib 315.0.0 (compatibility 1.0.0) <95718673-FEEE-B6ED-B127-BCDBDB60D4E5> /usr/lib/system/libmathCommon.A.dylib
0x7fffffe00000 - 0x7fffffe01fff libSystem.B.dylib ??? (???) <95E02DD0-ADEA-745B-E7FA-ABA064E4658C> /usr/lib/libSystem.B.dylib
L'output di sysctl -a è il seguente:
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.debug: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 24576
net.inet.ip.fw.static_count: 9964
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
Abbiamo inserito la seguente riga in /etc/sysctl.conf e riavviata.
net.inet.ip.fw.dyn_max=24576