Date: Tue, 24 Oct 2000 17:47:22 +0200 From: "Julian Stacey Jhs%flip@jhs.muc.de xxyy" <jhs@jhs.muc.de> To: "Mike Hoskins" <mike@adept.org> Cc: Rudy <rudy@monkeybrains.net>, freebsd-net@FreeBSD.org Subject: Re: '/kernel: Too many dynamic rules, sorry' Message-ID: <200010241549.e9OFlNX17858@jhs.muc.de> In-Reply-To: Message from "Mike Hoskins" <mike@adept.org> of "Mon, 23 Oct 2000 19:57:49 PDT." <20001024025749.476959EE01@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Mike Hoskins" wrote: > > [4] A nice feature would be the ability to extend timeouts within the > ipfw > > ruleset for specific ports. For instance, I'd like to change the > timeout > > for my ssh connections from 5 minutes to 60 minutes. Something like: > > allow tcp from any to any 22 keep-state ack-lifetime 3600 in recv fxp0 > setup > > You need patches like Aaron Gifford's. Search the security list archive > for 'ipfw patches' from around July. Summer 1999 or before, I ran out of space for all my rules, I append my http://bim.bsn.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/netinet/ip_fw.c.diff see also sbin/ipfw/ipfw.8.diff share/man/man4/netintro.4.diff Its been running fine for over a year if someone wants to try it & commit it, please do. --------------------------------------------------------------------------- I have not read kernel to check if the kernel might now run out of space somewhere, now I can have more rules, I guess if its doing a malloc it will be OK. It's been running fine with me since at least January 2000 with my 688 rules. I did do a scan of entire /usr/include & /sys for "100" in case somewhere else a programmer has assumed the same 100 but without using a common define, that would have been evil, & deserved to be discovered. Ideally one could convert this 20 to a define & use a sysctl to amend it in the MIB base of net.inet.ip.fw *** 3.3-and-3.4-and-4.1.1-RELEASE/src/sys/netinet/ip_fw.c Sun Aug 29 18:29:44 1999 --- jhs/src/sys/netinet/ip_fw.c.nu Fri Jan 28 11:17:55 2000 *************** *** 1001,1007 **** return(0); } ! /* If entry number is 0, find highest numbered rule and add 100 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) --- 1001,1007 ---- return(0); } ! /* If entry number is 0, find highest numbered rule and add 20 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) *************** *** 1009,1016 **** else break; } ! if (nbr < IPFW_DEFAULT_RULE - 100) ! nbr += 100; ftmp->fw_number = nbr; } --- 1009,1016 ---- else break; } ! if (nbr < IPFW_DEFAULT_RULE - 20) ! nbr += 20; ftmp->fw_number = nbr; } # The next patch does not apply on 4.1-RELEASE, & by human inspection # I find no occurences of "100" that need changing, so its commented out. # *** 3.4-RELEASE/src/sbin/ipfw/ipfw.8 Wed Oct 20 15:07:36 1999 # --- jhs/src/sbin/ipfw/ipfw.8 Thu Apr 13 11:25:36 2000 # *************** # *** 228,234 **** # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 100 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # --- 228,234 ---- # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 20 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # -------------------------------------------------------------------------------- Files with "100" that I probably can ignore, but not certain, & would appreciate confirmation from someone. sys/netinet/tcp_debug.h #define TCP_NDEBUG 100 sys/kern/kern_sysctl.c k += 100; sys/netinet/ip_divert.c #define DIVSNDQ (65536 + 100) sys/netinet/ip_dummynet.c if (p->queue_size > 100) sys/netipx/spx_debug.h #define SPX_NDEBUG 100 sys/netns/spp_debug.h #define SPP_NDEBUG 100 Julian - Julian Stacey http://bim.bsn.com/~jhs/ Munich Unix Consultant. Free BSD Unix with 3900 packages & sources. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010241549.e9OFlNX17858>