FreeBSD Bugzilla – Attachment 15495 Details for
Bug 28713
NEW IPFW FEATURE [PATCHES]: Dynamic rule expiration lifetime fine-grained control
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 4.84 KB, created by
agifford
on 2001-07-05 07:40:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
agifford
Created:
2001-07-05 07:40:01 UTC
Size:
4.84 KB
patch
obsolete
>--- /usr/src/sys/netinet/ip_fw.h.orig Tue Feb 20 11:39:17 2001 >+++ /usr/src/sys/netinet/ip_fw.h Thu Jul 5 03:46:51 2001 >@@ -74,6 +74,7 @@ > u_short fu_skipto_rule; /* SKIPTO command rule number */ > u_short fu_reject_code; /* REJECT response code */ > struct sockaddr_in fu_fwd_ip; >+ u_int32_t fu_dyn_lifetime; /* Explicit dynamic rule lifetime */ > } fw_un; > u_char fw_prot; /* IP protocol */ > /* >@@ -122,6 +123,7 @@ > #define fw_reject_code fw_un.fu_reject_code > #define fw_pipe_nr fw_un.fu_pipe_nr > #define fw_fwd_ip fw_un.fu_fwd_ip >+#define fw_dyn_lifetime fw_un.fu_dyn_lifetime > > struct ip_fw_chain { > LIST_ENTRY(ip_fw_chain) next; >@@ -148,6 +150,7 @@ > struct ipfw_flow_id mask ; > struct ip_fw_chain *chain ; /* pointer to parent rule */ > u_int32_t type ; /* rule type */ >+ u_int32_t lifetime ; /* per-rule specified lifetime */ > u_int32_t expire ; /* expire time */ > u_int64_t pcnt, bcnt; /* match counters */ > u_int32_t bucket ; /* which bucket in hash table */ >--- /usr/src/sys/netinet/ip_fw.c.orig Mon Jul 2 15:50:31 2001 >+++ /usr/src/sys/netinet/ip_fw.c Thu Jul 5 03:46:51 2001 >@@ -763,7 +763,7 @@ > break ; > case TH_SYN | (TH_SYN << 8) : > /* move to established */ >- q->expire = time_second + dyn_ack_lifetime ; >+ q->expire = time_second + (q->lifetime ? q->lifetime : dyn_ack_lifetime) ; > break ; > case TH_SYN | (TH_SYN << 8) | TH_FIN : > case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) : >@@ -788,7 +788,7 @@ > } > } else { > /* should do something for UDP and others... */ >- q->expire = time_second + dyn_short_lifetime ; >+ q->expire = time_second + (q->lifetime ? q->lifetime : dyn_short_lifetime) ; > } > if (match_direction) > *match_direction = dir ; >@@ -834,7 +834,13 @@ > if (mask) > r->mask = *mask ; > r->id = *id ; >- r->expire = time_second + dyn_syn_lifetime ; >+ r->lifetime = chain->rule->fw_dyn_lifetime ; >+ if (r->lifetime) >+ r->expire = time_second + r->lifetime ; >+ else if (r->id.proto == IPPROTO_TCP) >+ r->expire = time_second + dyn_syn_lifetime ; >+ else >+ r->expire = time_second + dyn_short_lifetime ; > r->chain = chain ; > r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ; > >--- /usr/src/sbin/ipfw/ipfw.c.orig Sun Jul 1 22:00:26 2001 >+++ /usr/src/sbin/ipfw/ipfw.c Thu Jul 5 03:46:51 2001 >@@ -377,6 +377,8 @@ > printf(" keep-state %d", (int)chain->next_rule_ptr); > else > printf(" keep-state"); >+ if (chain->fw_dyn_lifetime) >+ printf(" lifetime %d", (int)chain->fw_dyn_lifetime); > } > /* Direction */ > if (chain->fw_flg & IP_FW_BRIDGED) >@@ -917,6 +919,7 @@ > " tcpack {acknowledgement number}\n" > " tcpwin {window size}\n" > " icmptypes {type[, type]}...\n" >+" keep-state [lifetime {number of seconds}]\n" > " pipeconfig:\n" > " {bw|bandwidth} <number>{bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}\n" > " {bw|bandwidth} interface_name\n" >@@ -1971,6 +1974,15 @@ > if (ac > 0 && (type = atoi(*av)) != 0) { > (int)rule.next_rule_ptr = type; > av++; ac--; >+ } >+ if (ac > 0 && !strncmp(*av,"lifetime",strlen(*av))) { >+ u_long lifetime; >+ >+ av++; ac--; >+ if (ac > 0 && (lifetime = atoi(*av)) != 0) { >+ rule.fw_dyn_lifetime = lifetime; >+ av++; ac--; >+ } > } > } else if (!strncmp(*av, "bridged", strlen(*av))) { > rule.fw_flg |= IP_FW_BRIDGED; >--- /usr/src/sbin/ipfw/ipfw.8.orig Wed Jun 6 20:56:56 2001 >+++ /usr/src/sbin/ipfw/ipfw.8 Thu Jul 5 03:46:51 2001 >@@ -640,18 +640,38 @@ > interface. > .It Ar options : > .Bl -tag -width indent >-.It Cm keep-state Op Ar method >+.It Xo Cm keep-state Op Ar method >+.Op Cm lifetime Ar number >+.Xc > Upon a match, the firewall will create a dynamic rule, whose >-default behaviour is to matching bidirectional traffic between >+default behaviour is to match bidirectional traffic between > source and destination IP/port using the same protocol. >-The rule has a limited lifetime (controlled by a set of >+The rule has a limited lifetime controlled by a set of > .Xr sysctl 8 >-variables), and the lifetime is refreshed every time a matching >-packet is found. >+variables that may be overridden on a per-rule basis. >+The lifetime is refreshed each time a matching packet is >+found. > .Pp > The actual behaviour can be modified by specifying a different > .Ar method , > although at the moment only the default one is specified. >+.Pp >+The default rule lifetime may be overridden for a specific >+rule by appending >+.Cm lifetime Ar number >+to explicitly set the number of seconds for the dynamic rule >+lifetime. >+.Pp >+For TCP rules, explicitly setting a rule lifetime overrides the >+default setting stored in the >+.Xr sysctl 8 >+variable >+.Em net.inet.ip.fw.dyn_ack_lifetime . >+For non-TCP rules, it overrides the >+.Xr sysctl 8 >+variable >+.Em net.inet.ip.fw.dyn_short_lifetime >+instead. > .It Cm bridged > Matches only bridged packets. > This can be useful for multicast or broadcast traffic, which
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15495">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 28713
: 15495