Improve periodic/security/550.ipfwlimit a bit:

- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless - handle rules without logging limit correctly [1] (those rules show up without logamount in "ipfw -a list") PR: conf/126060 [1] MFC after: 1 month
2008-08-10 18:11:24 +00:00 · 2008-08-10 18:11:24 +00:00 · e5067d55c3
commit e5067d55c3
parent fd54542001
1 changed files with 3 additions and 6 deletions
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@ -42,19 +42,16 @@ rc=0

 case "$daily_status_security_ipfwlimit_enable" in
    [Yy][Ee][Ss])
-	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-	if [ $? -ne 0 ]; then
+	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
+	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
 	fi
 	TMP=`mktemp -t security`
 	ipfw -a list | grep " log " | \
 	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-	awk -v limit="$IPFW_LOG_LIMIT" \
+	awk \
 		'{if ($6 == "logamount") {
 			if ($2 > $7)
-				{print $0}
-		} else {
-			if ($2 > limit)
 				{print $0}}
 		}' > ${TMP}