Date: Tue, 25 Sep 2001 23:43:10 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: <freebsd-stable@freebsd.org> Subject: Re: ipfw patch Message-ID: <20010925234127.Y58056-200000@snafu.adept.org> In-Reply-To: <20010925233344.Y58056-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
And now for the attachment.
On Tue, 25 Sep 2001, Mike Hoskins wrote:
> Some time ago I came across the attached patch for ipfw which supports
> per-session timeouts. It applied cleanly until my last attempt to cvsup
> 4.4 (still at 4.3). It allows you to specify 'lifetimes' in your ipfw
> rules as follows:
<snip>
[-- Attachment #2 --]
--- sys/netinet/ip_fw.c.orig Wed May 31 14:43:58 2000
+++ sys/netinet/ip_fw.c Mon Jun 5 08:08:51 2000
@@ -651,7 +651,7 @@
break ;
case TH_SYN | (TH_SYN << 8) :
/* move to established */
- q->expire = time_second + dyn_ack_lifetime ;
+ q->expire = time_second + (q->lifetime ? q->lifetime : dyn_ack_lifetime) ;
break ;
case TH_SYN | (TH_SYN << 8) | TH_FIN :
case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
@@ -673,7 +673,7 @@
}
} else {
/* should do something for UDP and others... */
- q->expire = time_second + dyn_short_lifetime ;
+ q->expire = time_second + (q->lifetime ? q->lifetime : dyn_short_lifetime) ;
}
if (match_direction)
*match_direction = dir ;
@@ -721,7 +721,13 @@
if (mask)
r->mask = *mask ;
r->id = *id ;
- r->expire = time_second + dyn_syn_lifetime ;
+ r->lifetime = chain->rule->fw_dyn_lifetime ;
+ if (r->lifetime)
+ r->expire = time_second + r->lifetime ;
+ else if (r->id.proto == IPPROTO_TCP)
+ r->expire = time_second + dyn_syn_lifetime ;
+ else
+ r->expire = time_second + dyn_short_lifetime ;
r->chain = chain ;
r->type = ((struct ip_fw_ext *)chain->rule)->dyn_type ;
--- sys/netinet/ip_fw.h.orig Thu Feb 10 07:17:39 2000
+++ sys/netinet/ip_fw.h Mon Jun 5 08:08:51 2000
@@ -73,6 +73,7 @@
u_short fu_skipto_rule; /* SKIPTO command rule number */
u_short fu_reject_code; /* REJECT response code */
struct sockaddr_in fu_fwd_ip;
+ u_int32_t fu_dyn_lifetime; /* Explicit dynamic rule lifetime */
} fw_un;
u_char fw_prot; /* IP protocol */
/*
@@ -121,6 +122,7 @@
#define fw_reject_code fw_un.fu_reject_code
#define fw_pipe_nr fw_un.fu_pipe_nr
#define fw_fwd_ip fw_un.fu_fwd_ip
+#define fw_dyn_lifetime fw_un.fu_dyn_lifetime
struct ip_fw_chain {
LIST_ENTRY(ip_fw_chain) chain;
@@ -147,6 +149,7 @@
struct ipfw_flow_id mask ;
struct ip_fw_chain *chain ; /* pointer to parent rule */
u_int32_t type ; /* rule type */
+ u_int32_t lifetime ; /* per-rule specified lifetime */
u_int32_t expire ; /* expire time */
u_int64_t pcnt, bcnt; /* match counters */
u_int32_t bucket ; /* which bucket in hash table */
--- sbin/ipfw/ipfw.c.orig Sun Feb 13 04:46:59 2000
+++ sbin/ipfw/ipfw.c Mon Jun 5 08:09:29 2000
@@ -381,6 +381,8 @@
printf(" keep-state %d", (int)chain->next_rule_ptr);
else
printf(" keep-state");
+ if (chain->fw_dyn_lifetime)
+ printf(" lifetime %d", (int)chain->fw_dyn_lifetime);
}
/* Direction */
if (chain->fw_flg & IP_FW_BRIDGED)
@@ -1553,6 +1555,15 @@
(int)rule.next_rule_ptr = type ;
av++; ac--;
}
+ if (ac > 0 && !strncmp(*av,"lifetime",strlen(*av))) {
+ u_long lifetime ;
+
+ av++; ac--;
+ if (ac > 0 && (lifetime = atoi(*av)) != 0) {
+ rule.fw_dyn_lifetime = lifetime;
+ av++; ac--;
+ }
+ }
continue;
}
if (!strncmp(*av,"bridged",strlen(*av))) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010925234127.Y58056-200000>