Date: Sat, 17 Feb 2001 12:48:52 -0700 From: Aaron D.Gifford <agifford@infowest.com> To: freebsd-gnats-submit@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: kern/22065: Patch to add support to ipfw for per rule overriding of dynamic keep-state rule expiration lifetimes Message-ID: <01021712485208.38959@jardan.infowest.com>
next in thread | raw e-mail | index | archive | help
Looks like this proposed patch (PR 22065) is still open. I suppose that means no one has decided whether it is useful or not, or (far more likely) folks are extremely busy doing other fun and useful stuff for FreeBSD. The patch in the PR is still mostly valid for FreeBSD 4.2-STABLE with a few line offset changes. I've got an updated version of the patch against 4.2-STABLE as of 17 FEB 2001 at the following web address: http://www.aarongifford.com/computers/ipfwpatch.html I have been using the patch successfully on several moderate-traffic hosts with no noticable problems. I do still have two questions that no one has yet answered. Still, it would be nice to know the following (with regard to the patch): 1. Am I safe using the union fw_un in the ip_fw structure (in ip_fw.h) to store the dynamic rule's lifetime setting or will this overlap with one of the other uses of that union and thus require that I modify the patch to create a new structure member for storing the setting? 2. Am I correct in assuming that in ip_fw.c at roughly line 800 where UDP and TCP matches to the dynamic rule extend the rule expiration by the dyn_syn_lifetime amount that this should instead only extend TCP matches by dyn_syn_lifetime and should extend UDP matches by dyn_short_lifetime instead? I believe this to be the case. The snippet of code from ip_fw.c in question looks like (beginning at line 800 of ip_fw.c as of FreeBSD 4.2-STABLE on 17 FEB 2001): } bzero (r, sizeof (*r) ); if (mask) r->mask = *mask ; r->id = *id ; r->expire = time_second + dyn_syn_lifetime ; /*<<<THIS LINE<<<*/ r->chain = chain ; r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ; r->bucket = i ; r->next = ipfw_dyn_v[i] ; ipfw_dyn_v[i] = r ; dyn_count++ ; DEB(printf("-- add entry 0x%08x %d -> 0x%08x %d, %d left\n", (r->id.src_ip), (r->id.src_port), (r->id.dst_ip), (r->id.dst_port), dyn_count ); ) } I assume that the line above (flagged above with "<<<THIS LINE<<<") should instead read something like: r->expire = time_second + (r->id.proto == IPPROTO_TCP ? dyn_syn_lifetime : dyn_short_lifetime) ; My patch assumes that this is the case and modifies the behavior so that non-TCP rule match expiration lifetimes are incremented by the dyn_short_lifetime sysctl setting (if no per-rule lifetime is specified). I would appreciate any answers to the two above questions, question #1 in particular, as well as any other commentary or suggestions. Thanks, Aaron out. -- InfoWest, Inc. * 596 E. Tabernacle * St. George, UT 84790 Voice: 435-674-0165 * FAX: 435-674-9654 Web: www.infowest.com * E-mail: support@infowest.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01021712485208.38959>