From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 27 20:18:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D6F916A4CE for ; Sat, 27 Nov 2004 20:18:32 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A87B43D69 for ; Sat, 27 Nov 2004 20:18:32 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000299745.msg for ; Sat, 27 Nov 2004 11:53:45 -0800 From: "David Schwartz" To: Date: Sat, 27 Nov 2004 12:17:21 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Sat, 27 Nov 2004 11:53:45 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Sat, 27 Nov 2004 11:53:49 -0800 Subject: PATCH: Add creation time to dynamic firewall rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 20:18:32 -0000 FreeBSD/ipfw2 currently keeps the expiration time for dynamic firewall rules (obviously), but it does not track the creation time. The attached patch keeps the creation time and adds a flag to 'ipfw' to show the time since creation instead of the time until expiration. This is useful for two reasons. First, knowing how long a connection has been around gives you an idea of how stable it is. Second, the packet/byte counters are not as meaningful without knowing what time period they cover -- with both the counters and the time frame, you can estimate the bandwidth consumption of the connection. The cost is four bytes of memory per dynamic firewall rule. This is both consumed kernel memory for the dynamic rule table and cost of copying out the rules when they're requested. In addition, retrieving the dynamic firewall rules requries an extra computation to relativize the time (as is done for expiration time now). Even for a large firewall with, say, 10,000 states, this is still a minimal amount of memory (40Kb). This patch is tested and is offered under the FreeBSD license. I would like to see it included in the distribution. The patch is against 5_STABLE, and the versions of the various files patched are in the patch headers. The patch has been tested. Note that both copies of ip_fw.h must be patched. David Schwartz -- --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 +++ ip_fw.h Fri Nov 26 18:51:15 2004 @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { u_int64_t bcnt; /* byte match counter */ struct ipfw_flow_id id; /* (masked) flow id */ u_int32_t expire; /* expire time */ + u_int32_t created; /* creation time */ u_int32_t bucket; /* which bucket in hash table */ u_int32_t state; /* state of this rule (typically a * combination of TCP flags) --- ip_fw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ip_fw2.c Fri Nov 26 18:56:41 2004 @@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_ r->id = *id; r->expire = time_second + dyn_syn_lifetime; + r->created = time_second; r->rule = rule; r->dyn_type = dyn_type; r->pcnt = r->bcnt = 0; @@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain, dst->expire = TIME_LEQ(dst->expire, time_second) ? 0 : dst->expire - time_second ; + dst->created = + TIME_LEQ(time_second, dst->created) ? + 0 : time_second - dst->created; bp += sizeof(ipfw_dyn_rule); } } --- ipfw.8 1.150.2.4 2004/11/08 19:07:03 +++ ipfw.8 Fri Nov 26 18:59:20 2004 @@ -13,7 +13,7 @@ .Cm add .Ar rule .Nm -.Op Fl acdefnNStT +.Op Fl acCdefnNStT .Brq Cm list | show .Op Ar rule | first-last ... .Nm @@ -223,6 +223,10 @@ Implies When entering or showing rules, print them in compact form, i.e., without the optional "ip from any to any" string when this does not carry any additional information. +.It Fl C +When viewing dynamic firewall rules, print the number of +seconds since the rule was created rather than the number +of seconds until the rule expires. .It Fl d While listing, show dynamic rules in addition to static ones. .It Fl e --- ipfw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ipfw2.c Fri Nov 26 18:57:04 2004 @@ -67,6 +67,7 @@ int show_sets, /* display rule sets */ test_only, /* only check syntax */ comment_only, /* only print action and comment */ + show_created, /* show creation time */ verbose; #define IP_MASK_ALL 0xffffffff @@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi if (pcwidth>0 || bcwidth>0) printf(" %*llu %*llu (%ds)", pcwidth, align_uint64(&d->pcnt), bcwidth, - align_uint64(&d->bcnt), d->expire); + align_uint64(&d->bcnt), + show_created ? d->created : d->expire); switch (d->dyn_type) { case O_LIMIT_PARENT: printf(" PARENT %d", d->count); @@ -3843,7 +3845,7 @@ ipfw_main(int oldac, char **oldav) save_av = av; optind = optreset = 0; - while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcCdefhnNqs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; @@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav) case 'v': /* verbose */ verbose = 1; break; - + case 'C': /* created time */ + show_created = 1; + break; default: free_args(save_ac, save_av); return 1;