From owner-freebsd-net Tue Oct 24 13:45:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from slarti.muc.de (slarti.muc.de [193.149.48.10]) by hub.freebsd.org (Postfix) with SMTP id 8833B37B4D7 for ; Tue, 24 Oct 2000 13:45:00 -0700 (PDT) Received: (qmail 21577 invoked from network); 24 Oct 2000 20:51:35 -0000 Received: from jhs.muc.de (193.149.49.84) by slarti.muc.de with SMTP; 24 Oct 2000 20:51:35 -0000 Received: from park.jhs.private (localhost [127.0.0.1]) by jhs.muc.de (8.11.0/8.11.0) with ESMTP id e9OFlNX17858; Tue, 24 Oct 2000 15:49:11 GMT (envelope-from jhs@park.jhs.private) Message-Id: <200010241549.e9OFlNX17858@jhs.muc.de> To: "Mike Hoskins" Cc: Rudy , freebsd-net@FreeBSD.org Subject: Re: '/kernel: Too many dynamic rules, sorry' In-Reply-To: Message from "Mike Hoskins" of "Mon, 23 Oct 2000 19:57:49 PDT." <20001024025749.476959EE01@snafu.adept.org> Date: Tue, 24 Oct 2000 17:47:22 +0200 From: "Julian Stacey Jhs%flip@jhs.muc.de xxyy" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Mike Hoskins" wrote: > > [4] A nice feature would be the ability to extend timeouts within the > ipfw > > ruleset for specific ports. For instance, I'd like to change the > timeout > > for my ssh connections from 5 minutes to 60 minutes. Something like: > > allow tcp from any to any 22 keep-state ack-lifetime 3600 in recv fxp0 > setup > > You need patches like Aaron Gifford's. Search the security list archive > for 'ipfw patches' from around July. Summer 1999 or before, I ran out of space for all my rules, I append my http://bim.bsn.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/netinet/ip_fw.c.diff see also sbin/ipfw/ipfw.8.diff share/man/man4/netintro.4.diff Its been running fine for over a year if someone wants to try it & commit it, please do. --------------------------------------------------------------------------- I have not read kernel to check if the kernel might now run out of space somewhere, now I can have more rules, I guess if its doing a malloc it will be OK. It's been running fine with me since at least January 2000 with my 688 rules. I did do a scan of entire /usr/include & /sys for "100" in case somewhere else a programmer has assumed the same 100 but without using a common define, that would have been evil, & deserved to be discovered. Ideally one could convert this 20 to a define & use a sysctl to amend it in the MIB base of net.inet.ip.fw *** 3.3-and-3.4-and-4.1.1-RELEASE/src/sys/netinet/ip_fw.c Sun Aug 29 18:29:44 1999 --- jhs/src/sys/netinet/ip_fw.c.nu Fri Jan 28 11:17:55 2000 *************** *** 1001,1007 **** return(0); } ! /* If entry number is 0, find highest numbered rule and add 100 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) --- 1001,1007 ---- return(0); } ! /* If entry number is 0, find highest numbered rule and add 20 */ if (ftmp->fw_number == 0) { for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { if (fcp->rule->fw_number != (u_short)-1) *************** *** 1009,1016 **** else break; } ! if (nbr < IPFW_DEFAULT_RULE - 100) ! nbr += 100; ftmp->fw_number = nbr; } --- 1009,1016 ---- else break; } ! if (nbr < IPFW_DEFAULT_RULE - 20) ! nbr += 20; ftmp->fw_number = nbr; } # The next patch does not apply on 4.1-RELEASE, & by human inspection # I find no occurences of "100" that need changing, so its commented out. # *** 3.4-RELEASE/src/sbin/ipfw/ipfw.8 Wed Oct 20 15:07:36 1999 # --- jhs/src/sbin/ipfw/ipfw.8 Thu Apr 13 11:25:36 2000 # *************** # *** 228,234 **** # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 100 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # --- 228,234 ---- # Multiple rules may share the same number and apply in # the order in which they were added. # .Pp # ! If a rule is added without a number, it is numbered 20 higher than the highest # defined rule number, unless the highest defined rule number is 65435 or # greater, in which case new rules are given that same number. # .Pp # -------------------------------------------------------------------------------- Files with "100" that I probably can ignore, but not certain, & would appreciate confirmation from someone. sys/netinet/tcp_debug.h #define TCP_NDEBUG 100 sys/kern/kern_sysctl.c k += 100; sys/netinet/ip_divert.c #define DIVSNDQ (65536 + 100) sys/netinet/ip_dummynet.c if (p->queue_size > 100) sys/netipx/spx_debug.h #define SPX_NDEBUG 100 sys/netns/spp_debug.h #define SPP_NDEBUG 100 Julian - Julian Stacey http://bim.bsn.com/~jhs/ Munich Unix Consultant. Free BSD Unix with 3900 packages & sources. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message