Improve periodic/security/550.ipfwlimit a bit:

- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless - handle rules without logging limit correctly [1] (those rules show up without logamount in "ipfw -a list") PR: conf/126060 [1] MFC after: 1 month
author: antoine <antoine@FreeBSD.org> 2008-08-10 18:11:24 +0000
committer: antoine <antoine@FreeBSD.org> 2008-08-10 18:11:24 +0000
commit: e5067d55c3287c93c340c4d0436ed76a93d2f8b2 (patch)
tree: 3f116808e9278006c5dca0d4e2140123f5c81444 /etc
parent: fd545420018aa4da36734b362ab931fcc178d6cb (diff)
download: FreeBSD-src-e5067d55c3287c93c340c4d0436ed76a93d2f8b2.zip
FreeBSD-src-e5067d55c3287c93c340c4d0436ed76a93d2f8b2.tar.gz
1 files changed, 3 insertions, 6 deletions
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
index 6c2e1a0..daa0f86 100755
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@@ -42,19 +42,16 @@ rc=0
 
 case "$daily_status_security_ipfwlimit_enable" in
     [Yy][Ee][Ss])
-	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-	if [ $? -ne 0 ]; then
+	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
+	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
 	fi
 	TMP=`mktemp -t security`
 	ipfw -a list | grep " log " | \
 	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-	awk -v limit="$IPFW_LOG_LIMIT" \
+	awk \
 		'{if ($6 == "logamount") {
 			if ($2 > $7)
-				{print $0}
-		} else {
-			if ($2 > limit)
 				{print $0}}
 		}' > ${TMP}
author	antoine <antoine@FreeBSD.org>	2008-08-10 18:11:24 +0000
committer	antoine <antoine@FreeBSD.org>	2008-08-10 18:11:24 +0000
commit	e5067d55c3287c93c340c4d0436ed76a93d2f8b2 (patch)
tree	3f116808e9278006c5dca0d4e2140123f5c81444 /etc
parent	fd545420018aa4da36734b362ab931fcc178d6cb (diff)
download	FreeBSD-src-e5067d55c3287c93c340c4d0436ed76a93d2f8b2.zip FreeBSD-src-e5067d55c3287c93c340c4d0436ed76a93d2f8b2.tar.gz