Attachment #11146 for bug #22065

Lines 383-388 Link Here

(-)sbin/ipfw/ipfw.c Tue Oct 17 16:08:36 2000 (+12 lines)
383	printf(" keep-state %d", (int)chain->next_rule_ptr);	383	printf(" keep-state %d", (int)chain->next_rule_ptr);
384	else	384	else
385	printf(" keep-state");	385	printf(" keep-state");
		386	if (chain->fw_dyn_lifetime)
		387	printf(" lifetime %d", (int)chain->fw_dyn_lifetime);
386	}	388	}
387	/* Direction */	389	/* Direction */
388	if (chain->fw_flg & IP_FW_BRIDGED)	390	if (chain->fw_flg & IP_FW_BRIDGED)
Lines 837-842 Link Here
837	" ipoptions [!]{ssrr\|lsrr\|rr\|ts},...\n"	839	" ipoptions [!]{ssrr\|lsrr\|rr\|ts},...\n"
838	" tcpoptions [!]{mss\|window\|sack\|ts\|cc},...\n"	840	" tcpoptions [!]{mss\|window\|sack\|ts\|cc},...\n"
839	" icmptypes {type[,type]}...\n"	841	" icmptypes {type[,type]}...\n"
		842	" keep-state [lifetime <number>]\n"
840	" pipeconfig:\n"	843	" pipeconfig:\n"
841	" {bw\|bandwidth} <number>{bit/s\|Kbit/s\|Mbit/s\|Bytes/s\|KBytes/s\|MBytes/s}\n"	844	" {bw\|bandwidth} <number>{bit/s\|Kbit/s\|Mbit/s\|Bytes/s\|KBytes/s\|MBytes/s}\n"
842	" {bw\|bandwidth} interface_name\n"	845	" {bw\|bandwidth} interface_name\n"
Lines 1821-1826 Link Here
1821	(int)rule.next_rule_ptr = type ;	1824	(int)rule.next_rule_ptr = type ;
1822	av++; ac--;	1825	av++; ac--;
1823	}	1826	}
		1827	if (ac > 0 && !strncmp(av,"lifetime",strlen(av))) {
		1828	u_long lifetime ;
		1829
		1830	av++; ac--;
		1831	if (ac > 0 && (lifetime = atoi(*av)) != 0) {
		1832	rule.fw_dyn_lifetime = lifetime;
		1833	av++; ac--;
		1834	}
		1835	}
1824	continue;	1836	continue;
1825	}	1837	}
1826	if (!strncmp(av,"bridged",strlen(av))) {	1838	if (!strncmp(av,"bridged",strlen(av))) {




interface.
.It Ar options :
.Bl -tag -width indent
.It Xo Cm keep-state Op Ar method
.Op Cm lifetime Ar number
.Xc
Upon a match, the firewall will create a dynamic rule, whose
default behaviour is to match bidirectional traffic between
source and destination IP/port using the same protocol.
The rule has a limited lifetime controlled by a set of
.Xr sysctl 8
variables that may be overridden on a per-rule basis.
The lifetime is refreshed every time a matching packet is
found.
.Pp
The actual behaviour can be modified by specifying a different
.Ar method ,
although at the moment only the default one is specified.
.Pp
The default rule lifetime may be overridden for a specific
rule by appending
.Cm lifetime Ar number
to explicitly set the number of seconds for the dynamic rule
lifetime.
.Pp
For TCP rules, explicitly setting a rule lifetime overrides the
default setting stored in the
.Xr sysctl 8
variable
.Em net.inet.ip.fw.dyn_ack_lifetime .
For non-TCP rules, it overrides the
.Xr sysctl 8
variable
.Em net.inet.ip.fw.dyn_short_lifetime
instead.
.It Cm bridged
Matches only bridged packets.
This can be useful for multicast or broadcast traffic, which

Return to bug 22065

Lines 605-622 Link Here

(-)sbin/ipfw/ipfw.8 Tue Oct 17 16:08:36 2000 (-5 / +25 lines)
605	interface.	605	interface.
606	.It Ar options :	606	.It Ar options :
607	.Bl -tag -width indent	607	.Bl -tag -width indent
608	.It Cm keep-state Op Ar method	608	.It Xo Cm keep-state Op Ar method
		609	.Op Cm lifetime Ar number
		610	.Xc
609	Upon a match, the firewall will create a dynamic rule, whose	611	Upon a match, the firewall will create a dynamic rule, whose
610	default behaviour is to matching bidirectional traffic between	612	default behaviour is to match bidirectional traffic between
611	source and destination IP/port using the same protocol.	613	source and destination IP/port using the same protocol.
612	The rule has a limited lifetime (controlled by a set of	614	The rule has a limited lifetime controlled by a set of
613	.Xr sysctl 8	615	.Xr sysctl 8
614	variables), and the lifetime is refreshed every time a matching	616	variables that may be overridden on a per-rule basis.
615	packet is found.	617	The lifetime is refreshed every time a matching packet is
		618	found.
616	.Pp	619	.Pp
617	The actual behaviour can be modified by specifying a different	620	The actual behaviour can be modified by specifying a different
618	.Ar method ,	621	.Ar method ,
619	although at the moment only the default one is specified.	622	although at the moment only the default one is specified.
		623	.Pp
		624	The default rule lifetime may be overridden for a specific
		625	rule by appending
		626	.Cm lifetime Ar number
		627	to explicitly set the number of seconds for the dynamic rule
		628	lifetime.
		629	.Pp
		630	For TCP rules, explicitly setting a rule lifetime overrides the
		631	default setting stored in the
		632	.Xr sysctl 8
		633	variable
		634	.Em net.inet.ip.fw.dyn_ack_lifetime .
		635	For non-TCP rules, it overrides the
		636	.Xr sysctl 8
		637	variable
		638	.Em net.inet.ip.fw.dyn_short_lifetime
		639	instead.
620	.It Cm bridged	640	.It Cm bridged
621	Matches only bridged packets.	641	Matches only bridged packets.
622	This can be useful for multicast or broadcast traffic, which	642	This can be useful for multicast or broadcast traffic, which