Date: Mon, 14 Jan 2002 22:01:10 -0800 From: "Crist J . Clark" <cjc@FreeBSD.ORG> To: Nate Williams <nate@yogotech.com> Cc: Ian <freebsd@damnhippie.dyndns.org>, stable@FreeBSD.ORG Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <20020114220110.A28767@blossom.cjclark.org> In-Reply-To: <15427.48196.58840.602666@caddis.yogotech.com>; from nate@yogotech.com on Mon, Jan 14, 2002 at 10:21:08PM -0700 References: <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob> <B868F9A8.91F2%freebsd@damnhippie.dyndns.org> <15427.48196.58840.602666@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 14, 2002 at 10:21:08PM -0700, Nate Williams wrote:
[Attribution was lost.]
> > No, it's not that dumb. The implication of Nate's reply was wrong. When a
> > tcp connection closes a dynamic rule involving that connection is changed
> > from the dyn_ack_lifetime period (which can safely be long) to the
> > dyn_fin_lifetime period which by default is fairly short.
>
> Really? I thought IPFW's state handling was *really* that dumb, at
> least in comparison to IPF's. Does ipfw really keep track of setup and
> teardown of the link?
The code is pretty straightforward, but yes, it does,
if (pkt->proto == IPPROTO_TCP) {
/* update state according to flags */
u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
switch (q->state) {
case TH_SYN :
/* opening */
q->expire = time_second + dyn_syn_lifetime ;
break ;
case TH_SYN | (TH_SYN << 8) :
/* move to established */
q->expire = time_second + q->lifetime ;
break ;
case TH_SYN | (TH_SYN << 8) | TH_FIN :
case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
/* one side tries to close */
q->expire = time_second + dyn_ack_lifetime ;
break ;
case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
/* both sides closed */
q->expire = time_second + dyn_fin_lifetime ;
break ;
default:
#if 0
/*
* reset or some invalid combination, but can also
* occur if we use keep-state the wrong way.
*/
if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
printf("invalid state: 0x%x\n", q->state);
#endif
q->expire = time_second + dyn_rst_lifetime ;
break ;
}
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020114220110.A28767>