From owner-freebsd-stable  Mon Jan 14 22: 1:47 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120])
	by hub.freebsd.org (Postfix) with ESMTP id AE3D837B402
	for <stable@freebsd.org>; Mon, 14 Jan 2002 22:01:43 -0800 (PST)
Received: from dialup-209.245.141.91.dial1.sanjose1.level3.net ([209.245.141.91] helo=blossom.cjclark.org)
	by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16QMfD-0006CM-00; Mon, 14 Jan 2002 22:01:41 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id g0F61AS29473;
	Mon, 14 Jan 2002 22:01:10 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 14 Jan 2002 22:01:10 -0800
From: "Crist J . Clark" <cjc@FreeBSD.ORG>
To: Nate Williams <nate@yogotech.com>
Cc: Ian <freebsd@damnhippie.dyndns.org>, stable@FreeBSD.ORG
Subject: Re: tcp keepalive and dynamic ipfw rules
Message-ID: <20020114220110.A28767@blossom.cjclark.org>
References: <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob> <B868F9A8.91F2%freebsd@damnhippie.dyndns.org> <15427.48196.58840.602666@caddis.yogotech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <15427.48196.58840.602666@caddis.yogotech.com>; from nate@yogotech.com on Mon, Jan 14, 2002 at 10:21:08PM -0700
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Mon, Jan 14, 2002 at 10:21:08PM -0700, Nate Williams wrote:

[Attribution was lost.]
> > No, it's not that dumb.  The implication of Nate's reply was wrong.  When a
> > tcp connection closes a dynamic rule involving that connection is changed
> > from the dyn_ack_lifetime period (which can safely be long) to the
> > dyn_fin_lifetime period which by default is fairly short.
> 
> Really?  I thought IPFW's state handling was *really* that dumb, at
> least in comparison to IPF's.  Does ipfw really keep track of setup and
> teardown of the link?

The code is pretty straightforward, but yes, it does,

    if (pkt->proto == IPPROTO_TCP) {
	/* update state according to flags */
	u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
	q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
	switch (q->state) {
	case TH_SYN :
	    /* opening */
	    q->expire = time_second + dyn_syn_lifetime ;
	    break ;
	case TH_SYN | (TH_SYN << 8) :
	    /* move to established */
	    q->expire = time_second + q->lifetime ;
	    break ;
	case TH_SYN | (TH_SYN << 8) | TH_FIN :
	case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
	    /* one side tries to close */
	    q->expire = time_second + dyn_ack_lifetime ;
	    break ;
	case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
	    /* both sides closed */
	    q->expire = time_second + dyn_fin_lifetime ;
	    break ;
	default:
#if 0
	    /*
	     * reset or some invalid combination, but can also
	     * occur if we use keep-state the wrong way.
	     */
	    if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
		printf("invalid state: 0x%x\n", q->state);
#endif
	    q->expire = time_second + dyn_rst_lifetime ;
	    break ;
	}
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message