Attachment #15495 for bug #28713

View | Details | Raw Unified | Return to bug 28713
Collapse All | Expand All




	u_short fu_skipto_rule;		/* SKIPTO command rule number */
	u_short fu_reject_code;		/* REJECT response code */
	struct sockaddr_in fu_fwd_ip;
	u_int32_t fu_dyn_lifetime;	/* Explicit dynamic rule lifetime */
    } fw_un;
    u_char fw_prot;			/* IP protocol */
	/*

#define fw_reject_code	fw_un.fu_reject_code
#define fw_pipe_nr	fw_un.fu_pipe_nr
#define fw_fwd_ip	fw_un.fu_fwd_ip
#define fw_dyn_lifetime	fw_un.fu_dyn_lifetime

struct ip_fw_chain {
	LIST_ENTRY(ip_fw_chain) next;

    struct ipfw_flow_id mask ;
    struct ip_fw_chain *chain ;		/* pointer to parent rule	*/
    u_int32_t type ;			/* rule type			*/
    u_int32_t lifetime ;		/* per-rule specified lifetime  */
    u_int32_t expire ;			/* expire time			*/
    u_int64_t pcnt, bcnt;		/* match counters		*/
    u_int32_t bucket ;			/* which bucket in hash table	*/

Lines 763-769 Link Here

(-)/usr/src/sys/netinet/ip_fw.c (-3 / +9 lines)
763	break ;	763	break ;
764	case TH_SYN \| (TH_SYN << 8) :	764	case TH_SYN \| (TH_SYN << 8) :
765	/* move to established */	765	/* move to established */
766	q->expire = time_second + dyn_ack_lifetime ;	766	q->expire = time_second + (q->lifetime ? q->lifetime : dyn_ack_lifetime) ;
767	break ;	767	break ;
768	case TH_SYN \| (TH_SYN << 8) \| TH_FIN :	768	case TH_SYN \| (TH_SYN << 8) \| TH_FIN :
769	case TH_SYN \| (TH_SYN << 8) \| (TH_FIN << 8) :	769	case TH_SYN \| (TH_SYN << 8) \| (TH_FIN << 8) :
Lines 788-794 Link Here
788	}	788	}
789	} else {	789	} else {
790	/* should do something for UDP and others... */	790	/* should do something for UDP and others... */
791	q->expire = time_second + dyn_short_lifetime ;	791	q->expire = time_second + (q->lifetime ? q->lifetime : dyn_short_lifetime) ;
792	}	792	}
793	if (match_direction)	793	if (match_direction)
794	*match_direction = dir ;	794	*match_direction = dir ;
Lines 834-840 Link Here
834	if (mask)	834	if (mask)
835	r->mask = *mask ;	835	r->mask = *mask ;
836	r->id = *id ;	836	r->id = *id ;
837	r->expire = time_second + dyn_syn_lifetime ;	837	r->lifetime = chain->rule->fw_dyn_lifetime ;
		838	if (r->lifetime)
		839	r->expire = time_second + r->lifetime ;
		840	else if (r->id.proto == IPPROTO_TCP)
		841	r->expire = time_second + dyn_syn_lifetime ;
		842	else
		843	r->expire = time_second + dyn_short_lifetime ;
838	r->chain = chain ;	844	r->chain = chain ;
839	r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ;	845	r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ;
840		846

Lines 377-382 Link Here

(-)/usr/src/sbin/ipfw/ipfw.c (+12 lines)
377	printf(" keep-state %d", (int)chain->next_rule_ptr);	377	printf(" keep-state %d", (int)chain->next_rule_ptr);
378	else	378	else
379	printf(" keep-state");	379	printf(" keep-state");
		380	if (chain->fw_dyn_lifetime)
		381	printf(" lifetime %d", (int)chain->fw_dyn_lifetime);
380	}	382	}
381	/* Direction */	383	/* Direction */
382	if (chain->fw_flg & IP_FW_BRIDGED)	384	if (chain->fw_flg & IP_FW_BRIDGED)
Lines 917-922 Link Here
917	" tcpack {acknowledgement number}\n"	919	" tcpack {acknowledgement number}\n"
918	" tcpwin {window size}\n"	920	" tcpwin {window size}\n"
919	" icmptypes {type[, type]}...\n"	921	" icmptypes {type[, type]}...\n"
		922	" keep-state [lifetime {number of seconds}]\n"
920	" pipeconfig:\n"	923	" pipeconfig:\n"
921	" {bw\|bandwidth} <number>{bit/s\|Kbit/s\|Mbit/s\|Bytes/s\|KBytes/s\|MBytes/s}\n"	924	" {bw\|bandwidth} <number>{bit/s\|Kbit/s\|Mbit/s\|Bytes/s\|KBytes/s\|MBytes/s}\n"
922	" {bw\|bandwidth} interface_name\n"	925	" {bw\|bandwidth} interface_name\n"
Lines 1971-1976 Link Here
1971	if (ac > 0 && (type = atoi(*av)) != 0) {	1974	if (ac > 0 && (type = atoi(*av)) != 0) {
1972	(int)rule.next_rule_ptr = type;	1975	(int)rule.next_rule_ptr = type;
1973	av++; ac--;	1976	av++; ac--;
		1977	}
		1978	if (ac > 0 && !strncmp(av,"lifetime",strlen(av))) {
		1979	u_long lifetime;
		1980
		1981	av++; ac--;
		1982	if (ac > 0 && (lifetime = atoi(*av)) != 0) {
		1983	rule.fw_dyn_lifetime = lifetime;
		1984	av++; ac--;
		1985	}
1974	}	1986	}
1975	} else if (!strncmp(av, "bridged", strlen(av))) {	1987	} else if (!strncmp(av, "bridged", strlen(av))) {
1976	rule.fw_flg \|= IP_FW_BRIDGED;	1988	rule.fw_flg \|= IP_FW_BRIDGED;




interface.
.It Ar options :
.Bl -tag -width indent
.It Xo Cm keep-state Op Ar method
.Op Cm lifetime Ar number
.Xc
Upon a match, the firewall will create a dynamic rule, whose
default behaviour is to match bidirectional traffic between
source and destination IP/port using the same protocol.
The rule has a limited lifetime controlled by a set of
.Xr sysctl 8
variables that may be overridden on a per-rule basis.
The lifetime is refreshed each time a matching packet is
found.
.Pp
The actual behaviour can be modified by specifying a different
.Ar method ,
although at the moment only the default one is specified.
.Pp
The default rule lifetime may be overridden for a specific
rule by appending
.Cm lifetime Ar number
to explicitly set the number of seconds for the dynamic rule
lifetime.
.Pp
For TCP rules, explicitly setting a rule lifetime overrides the
default setting stored in the
.Xr sysctl 8
variable
.Em net.inet.ip.fw.dyn_ack_lifetime .
For non-TCP rules, it overrides the
.Xr sysctl 8
variable
.Em net.inet.ip.fw.dyn_short_lifetime
instead.
.It Cm bridged
Matches only bridged packets.
This can be useful for multicast or broadcast traffic, which

Return to bug 28713

Lines 640-657 Link Here

(-)/usr/src/sbin/ipfw/ipfw.8 (-5 / +25 lines)
640	interface.	640	interface.
641	.It Ar options :	641	.It Ar options :
642	.Bl -tag -width indent	642	.Bl -tag -width indent
643	.It Cm keep-state Op Ar method	643	.It Xo Cm keep-state Op Ar method
		644	.Op Cm lifetime Ar number
		645	.Xc
644	Upon a match, the firewall will create a dynamic rule, whose	646	Upon a match, the firewall will create a dynamic rule, whose
645	default behaviour is to matching bidirectional traffic between	647	default behaviour is to match bidirectional traffic between
646	source and destination IP/port using the same protocol.	648	source and destination IP/port using the same protocol.
647	The rule has a limited lifetime (controlled by a set of	649	The rule has a limited lifetime controlled by a set of
648	.Xr sysctl 8	650	.Xr sysctl 8
649	variables), and the lifetime is refreshed every time a matching	651	variables that may be overridden on a per-rule basis.
650	packet is found.	652	The lifetime is refreshed each time a matching packet is
		653	found.
651	.Pp	654	.Pp
652	The actual behaviour can be modified by specifying a different	655	The actual behaviour can be modified by specifying a different
653	.Ar method ,	656	.Ar method ,
654	although at the moment only the default one is specified.	657	although at the moment only the default one is specified.
		658	.Pp
		659	The default rule lifetime may be overridden for a specific
		660	rule by appending
		661	.Cm lifetime Ar number
		662	to explicitly set the number of seconds for the dynamic rule
		663	lifetime.
		664	.Pp
		665	For TCP rules, explicitly setting a rule lifetime overrides the
		666	default setting stored in the
		667	.Xr sysctl 8
		668	variable
		669	.Em net.inet.ip.fw.dyn_ack_lifetime .
		670	For non-TCP rules, it overrides the
		671	.Xr sysctl 8
		672	variable
		673	.Em net.inet.ip.fw.dyn_short_lifetime
		674	instead.
655	.It Cm bridged	675	.It Cm bridged
656	Matches only bridged packets.	676	Matches only bridged packets.
657	This can be useful for multicast or broadcast traffic, which	677	This can be useful for multicast or broadcast traffic, which

Lines 74-79 Link Here

(-)/usr/src/sys/netinet/ip_fw.h (+3 lines)
74	u_short fu_skipto_rule; /* SKIPTO command rule number */	74	u_short fu_skipto_rule; /* SKIPTO command rule number */
75	u_short fu_reject_code; /* REJECT response code */	75	u_short fu_reject_code; /* REJECT response code */
76	struct sockaddr_in fu_fwd_ip;	76	struct sockaddr_in fu_fwd_ip;
		77	u_int32_t fu_dyn_lifetime; /* Explicit dynamic rule lifetime */
77	} fw_un;	78	} fw_un;
78	u_char fw_prot; /* IP protocol */	79	u_char fw_prot; /* IP protocol */
79	/*	80	/*
Lines 122-127 Link Here
122	#define fw_reject_code fw_un.fu_reject_code	123	#define fw_reject_code fw_un.fu_reject_code
123	#define fw_pipe_nr fw_un.fu_pipe_nr	124	#define fw_pipe_nr fw_un.fu_pipe_nr
124	#define fw_fwd_ip fw_un.fu_fwd_ip	125	#define fw_fwd_ip fw_un.fu_fwd_ip
		126	#define fw_dyn_lifetime fw_un.fu_dyn_lifetime
125		127
126	struct ip_fw_chain {	128	struct ip_fw_chain {
127	LIST_ENTRY(ip_fw_chain) next;	129	LIST_ENTRY(ip_fw_chain) next;
Lines 148-153 Link Here
148	struct ipfw_flow_id mask ;	150	struct ipfw_flow_id mask ;
149	struct ip_fw_chain chain ; / pointer to parent rule */	151	struct ip_fw_chain chain ; / pointer to parent rule */
150	u_int32_t type ; /* rule type */	152	u_int32_t type ; /* rule type */
		153	u_int32_t lifetime ; /* per-rule specified lifetime */
151	u_int32_t expire ; /* expire time */	154	u_int32_t expire ; /* expire time */
152	u_int64_t pcnt, bcnt; /* match counters */	155	u_int64_t pcnt, bcnt; /* match counters */
153	u_int32_t bucket ; /* which bucket in hash table */	156	u_int32_t bucket ; /* which bucket in hash table */