При 2-х тарифных планах дублирование правил фаервола

pavzen · Сообщение **pavzen** » Пн авг 13, 2007 05:24

Есть пользователь, у него 2 тарифных плана.
На каждом тарифном плане своё правило фаервола и свой ИП.

При включении интернета такая картина:

rfw.log:

?Debug : Aug 13 05:07:05 RFW URFA[plugin]: Got 'exec' command...
?Debug : Aug 13 05:07:05 FWCntl: Waiting second child process ... second child pid <8254>
?Debug : Aug 13 05:07:05 FWCntl: Executing command </bin/sh>
?Debug : Aug 13 05:07:05 FWCntl: Second child process <8254> exited with status <-1>
?Debug : Aug 13 05:07:05 FWCntl: Executing FW rule: /netup/utm/enable.sh 172.16.0.206/32 5001 512 pipe is done.
?Debug : Aug 13 05:07:05 RFW URFA[plugin]: Got 'exec' command...
?Debug : Aug 13 05:07:05 FWCntl: Waiting second child process ... second child pid <8260>
?Debug : Aug 13 05:07:05 FWCntl: Executing command </bin/sh>
?Debug : Aug 13 05:07:05 FWCntl: Second child process <8260> exited with status <-1>
?Debug : Aug 13 05:07:05 FWCntl: Executing FW rule: /netup/utm/enable.sh 172.16.0.204/32 5001 512 pipe is done.
?Debug : Aug 13 05:07:05 RFW URFA[plugin]: Got 'exec' command...
?Debug : Aug 13 05:07:05 FWCntl: Waiting second child process ... second child pid <8266>
?Debug : Aug 13 05:07:05 FWCntl: Executing command </bin/sh>
?Debug : Aug 13 05:07:05 FWCntl: Second child process <8266> exited with status <-1>
?Debug : Aug 13 05:07:05 FWCntl: Executing FW rule: /netup/utm/enable.sh 172.16.0.206/32 5001 64 queue is done.
?Debug : Aug 13 05:07:05 RFW URFA[plugin]: Got 'exec' command...
?Debug : Aug 13 05:07:05 FWCntl: Waiting second child process ... second child pid <8272>
?Debug : Aug 13 05:07:05 FWCntl: Executing command </bin/sh>
?Debug : Aug 13 05:07:05 FWCntl: Second child process <8272> exited with status <-1>
?Debug : Aug 13 05:07:05 FWCntl: Executing FW rule: /netup/utm/enable.sh 172.16.0.204/32 5001 64 queue is done.

То есть вместо 2-х команд получаем четыре: 2 команды с правилом первого тарифа для каждого IP, и 2 команды с правилом для второго тарифа с каждым IP.
Соответственно инет включается для обеих тарифов по правилу первого тарифа.

Смотрим debug.log:

?Debug : Aug 13 05:17:51 BusLogic: try to execute 39
?Debug : Aug 13 05:17:51 BusLogic: hw_block_handler with code 39
?Debug : Aug 13 05:17:51 BusLogic: hw_block_handler start bla_user_hw_unblock|bla_user_hw_block
?Debug : Aug 13 05:17:51 DBCtx: SQL SELECT query: SELECT rule_on,rule_off,router_id FROM firewall_rules WHERE is_deleted='0' AND ((uid='1' AND uid!='0') OR is_for_all='1' OR (( group_id='301' OR group_id='1304' OR group_id='10000' OR group_id='1300' OR group_id='102') AND group_id!='0') OR ((tariff_id='419' OR tariff_id='399') AND tariff_id!='0'))
?Debug : Aug 13 05:17:51 ModFWMan: Ready to execute 2 FW rules for UID 1. State:1
?Debug : Aug 13 05:17:51 DBCtx: SQL SELECT query: SELECT id,router_type,router_ip,login,password,router_comments FROM routers_info WHERE is_deleted='0'
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Setting RULE_ID to <5001> uid <1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting ACCOUNT_ID with value <1> original value <0>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting UBITS with value <32> original value <-1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting EMAIL with value <eee@eee.com> (obtained from user data)
?Debug : Aug 13 05:17:51 ModFWMan: Exec [/netup/utm/enable.sh 172.16.0.206/32 5001 512 pipe] on 1
?Debug : Aug 13 05:17:51 FW@172.16.254.254: Sending [/netup/utm/enable.sh 172.16.0.206/32 5001 512 pipe]
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Setting RULE_ID to <5001> uid <1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting ACCOUNT_ID with value <1> original value <0>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting UBITS with value <32> original value <-1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting EMAIL with value <eee@eee.com> (obtained from user data)
?Debug : Aug 13 05:17:51 ModFWMan: Exec [/netup/utm/enable.sh 172.16.0.204/32 5001 512 pipe] on 1
?Debug : Aug 13 05:17:51 FW@172.16.254.254: Sending [/netup/utm/enable.sh 172.16.0.204/32 5001 512 pipe]
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Setting RULE_ID to <5001> uid <1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting ACCOUNT_ID with value <1> original value <0>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting UBITS with value <32> original value <-1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting EMAIL with value <eee@eee.com> (obtained from user data)
?Debug : Aug 13 05:17:51 ModFWMan: Exec [/netup/utm/enable.sh 172.16.0.206/32 5001 64 queue] on 1
?Debug : Aug 13 05:17:51 FW@172.16.254.254: Sending [/netup/utm/enable.sh 172.16.0.206/32 5001 64 queue]
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Setting RULE_ID to <5001> uid <1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting ACCOUNT_ID with value <1> original value <0>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting UBITS with value <32> original value <-1>
?Debug : Aug 13 05:17:51 ModFWMan: FW rule parse. Substituting EMAIL with value <eee@eee.com> (obtained from user data)
?Debug : Aug 13 05:17:51 ModFWMan: Exec [/netup/utm/enable.sh 172.16.0.204/32 5001 64 queue] on 1
?Debug : Aug 13 05:17:51 FW@172.16.254.254: Sending [/netup/utm/enable.sh 172.16.0.204/32 5001 64 queue]
?Debug : Aug 13 05:17:51 BusLogic: hw_block_handler end bla_user_hw_unblock|bla_user_hw_block
?Debug : Aug 13 05:17:51 BusLogic: finished unknown

То есть правила выполняются четыре раза.

Делаем запрос:

Код: Выделить всё

mysql> SELECT * FROM firewall_rules WHERE is_deleted='0' AND &#40;&#40;uid='1' AND uid!='0'&#41; OR is_for_all='1' OR &#40;&#40; group_id='301' OR group_id='1304' OR group_id='10000' OR group_id='1300'&#41; AND group_id!='0'&#41; OR &#40;&#40;tariff_id='419' OR tariff_id='399'&#41; AND tariff_id!='0'&#41;&#41;;
+----+------------+------+----------+-----------+-------------------------------------------------+----------------------------------------+-----------+------------+
| id | is_for_all | uid  | group_id | tariff_id | rule_on                                         | rule_off                               | router_id | is_deleted |
+----+------------+------+----------+-----------+-------------------------------------------------+----------------------------------------+-----------+------------+
| 45 |          0 |    0 |        0 |       399 | /netup/utm/enable.sh UIP/UBITS RULE_ID 512 pipe | /netup/utm/disable_inet.sh UIP RULE_ID |         1 |          0 |
| 63 |          0 |    0 |        0 |       419 | /netup/utm/enable.sh UIP/UBITS RULE_ID 64 queue | /netup/utm/disable_inet.sh UIP RULE_ID |         1 |          0 |
+----+------------+------+----------+-----------+-------------------------------------------------+----------------------------------------+-----------+------------+

Правила прописаны только для тарифного плана.
Причём раньше такого не было. Где копать?
Версия 5.1.10-017
Заранее благодарен.