From owner-freebsd-bugs Tue Dec 10 1:50: 8 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5A3237B401 for ; Tue, 10 Dec 2002 01:50:02 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11FC343EC2 for ; Tue, 10 Dec 2002 01:50:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBA9o1x3058775 for ; Tue, 10 Dec 2002 01:50:01 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBA9o1Ac058774; Tue, 10 Dec 2002 01:50:01 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D334437B401 for ; Tue, 10 Dec 2002 01:40:14 -0800 (PST) Received: from mx.salut.ru (mx.salut.ru [194.67.150.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B96543EBE for ; Tue, 10 Dec 2002 01:40:12 -0800 (PST) (envelope-from okor@salut.ru) Received: from bazamot.salut.ru (mx.salut.ru [194.67.150.72]) by mx.salut.ru (ESMTP daemon) with ESMTP id gBA9e3rB017727 for ; Tue, 10 Dec 2002 12:40:03 +0300 (MSK) (envelope-from okor@salut.ru) Received: (from root@localhost) by bazamot.salut.ru (8.12.6/8.12.6/Submit) id gBA9e254017726; Tue, 10 Dec 2002 12:40:02 +0300 (MSK) (envelope-from okor) Message-Id: <200212100940.gBA9e254017726@bazamot.salut.ru> Date: Tue, 10 Dec 2002 12:40:02 +0300 (MSK) From: Oleg Koreshkov Reply-To: Oleg Koreshkov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/46159: ipfw dynamic rules lifetime feature Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 46159 >Category: kern >Synopsis: ipfw dynamic rules lifetime feature >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Dec 10 01:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Oleg Koreshkov >Release: FreeBSD 4.7-RELEASE i386 >Organization: A LOT OF... >Environment: System: FreeBSD xxxx.xxx.xx 4.7-RELEASE-p2 FreeBSD 4.7-RELEASE-p2 #8: Thu Nov 14 18:48:42 MSK 2002 root@xxx.xxx.xx:/usr/obj/usr/src/sys/XXXXXXX i386 >Description: When you use stateful filtering (with ipfw) it sometimes useful to have different default lifetime for dynamic rules according to rule body (not only for protocol). For example, on very busy web server it's advisable to keep 'net.inet.ip.fw.dyn_ack_lifetime' moderately short, while allow other types of tcp sessions (smtp,ftp,ssh etc...) exist without any limitations. Another example is allow udp/icmp packets that are outgoing from our iface have a long dynamic rule lifetime, but for packets comes from other hosts - short one... (because, for example, we can answer for ICMP query quite quickly, but we don't know how fast is remote host...) Kernel part of ipfw extended by adding extra field 'dyn_lifetime' in ip_fw structure. Userland utility ``ipfw'' extended by adding rule option ``lifetime ''. This option may be used standalone or with ``keep-state'' / ``limit'' rules. For TCP packets it option replaces lifetime for sessions in established state (if no ``lifetime'' option apeared, then default is net.inet.ip.fw.dyn_ack_lifetime). For UDP packets is replaces 'net.inet.ip.fw.dyn_udp_lifetime' For ICMP and other packets is replaces 'net.inet.ip.fw.dyn_short_lifetime' So, while we have default lifetime for TCP sessions in established state (kept in kern sysctl 'net.inet.ip.fw.dyn_ack_lifetime'), we may want to explicitly define it for other sessions: # ipfw add 1000 pass tcp from me to any setup lifetime 7200 this example mean, that dynamic rules created from this rule will have ``dyn_ack_lifetime'' equal to 7200 seconds (2 hours). >How-To-Repeat: use patch below: cd /usr/src patch < ipfw.lifetime.patch rebuild and install your kernel (and/or) ipfw kernel module... rebuild ipfw and libalias (and all that statically use this library) >Fix: ipfw.lifetime.patch: ==================================================================================== --- sys/netinet/ip_fw.h 1.47.2.11 2002/07/09 +++ sys/netinet/ip_fw.h @@ -159,6 +159,7 @@ #define DYN_DST_PORT 0x8 u_short conn_limit; /* # of connections for limit rule */ + u_int32_t dyn_lifetime; /* lifetime for dynamic rule */ }; #define fw_divert_port fw_un.fu_divert_port --- sys/netinet/ip_fw.c 1.131.2.35 2002/07/29 +++ sys/netinet/ip_fw.c @@ -783,12 +783,12 @@ break ; case TH_SYN | (TH_SYN << 8) : /* move to established */ - q->expire = time_second + dyn_ack_lifetime ; + q->expire = time_second + (q->rule->dyn_lifetime?q->rule->dyn_lifetime:dyn_ack_lifetime) ; break ; case TH_SYN | (TH_SYN << 8) | TH_FIN : case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) : /* one side tries to close */ - q->expire = time_second + dyn_ack_lifetime ; + q->expire = time_second + (q->rule->dyn_lifetime?q->rule->dyn_lifetime:dyn_ack_lifetime) ; break ; case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) : /* both sides closed */ @@ -807,10 +807,10 @@ break ; } } else if (pkt->proto == IPPROTO_UDP) { - q->expire = time_second + dyn_udp_lifetime ; + q->expire = time_second + (q->rule->dyn_lifetime?q->rule->dyn_lifetime:dyn_udp_lifetime) ; } else { /* other protocols */ - q->expire = time_second + dyn_short_lifetime ; + q->expire = time_second + (q->rule->dyn_lifetime?q->rule->dyn_lifetime:dyn_short_lifetime) ; } if (match_direction) *match_direction = dir ; @@ -2083,6 +2083,7 @@ ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ; printf("IP packet filtering initialized, " + "lifetime feature enabled, " #ifdef IPDIVERT "divert enabled, " #else --- sbin/ipfw/ipfw.c 1.80.2.24 2002/09/26 +++ sbin/ipfw/ipfw.c @@ -402,6 +402,8 @@ printf(" %d", chain->conn_limit); break ; } + if(chain->dyn_lifetime) + printf(" lifetime %d",chain->dyn_lifetime); } /* Direction */ if (chain->fw_flg & IP_FW_BRIDGED) @@ -890,6 +892,7 @@ " tcpoptions [!]{mss|window|sack|ts|cc}, ...\n" " icmptypes {type[, type]}...\n" " keep-state [method]\n" +" lifetime \n" " pipeconfig:\n" " {bw|bandwidth} {bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}\n" " {bw|bandwidth} interface_name\n" @@ -1958,6 +1961,16 @@ rule.dyn_type = type; av++; ac--; } + } else if (!strncmp(*av, "lifetime", strlen(*av))) { + u_int32_t dyn_lifetime; + rule.fw_flg |= IP_FW_F_KEEP_S; + + av++; ac--; + if (ac > 0 && (dyn_lifetime = atoi(*av)) != 0) { + rule.dyn_lifetime = dyn_lifetime; + av++; ac--; + } else errx(EX_USAGE, "``lifetime'' needs" + " dynamic rule lifetime (seconds)"); } else if (!strncmp(*av, "bridged", strlen(*av))) { rule.fw_flg |= IP_FW_BRIDGED; av++; ac--; ==================================================================================== >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message