From owner-freebsd-current@FreeBSD.ORG Wed Nov 24 21:12:28 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBE3E16A4CE for ; Wed, 24 Nov 2004 21:12:28 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA9343D46 for ; Wed, 24 Nov 2004 21:12:28 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000295952.msg for ; Wed, 24 Nov 2004 12:48:43 -0800 From: "David Schwartz" To: "freebsd-current@FreeBSD. org" Date: Wed, 24 Nov 2004 13:12:28 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Wed, 24 Nov 2004 12:48:43 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-current@FreeBSD.org X-MDAV-Processed: mail1.webmaster.com, Wed, 24 Nov 2004 12:48:47 -0800 Subject: RFC: Add creation time to dynamic firewall rules X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 21:12:28 -0000 FreeBSD does not keep track of the time a dynamic firewall was created in the structure associated with that rule. It looks like it would take less than an hour to code up a patch to keep this information and add a flag to ipfw to display how many seconds old the rule is instead of the usage time. I want this addition for two reasons: 1) Being able to know how old a connection is gives you important information about its stability. 2) By dividing the number of bytes by the connection age, you can guesstimate the approximate bandwidth usage of the connection. I could easily make this change locally and maintain it as a local patch, but would prefer to see it accepted into the general distribution. Does anyone have any comments as to whether such a patch would be likely to be accepted? The cost is, essentially, an extra 4 bytes for each dynamic firewall rule. A large firewall might have 10,000 dynamic rules, which would be 40Kb. A typical firewall might have 300, which would be 1Kb or so. (It might actually be a bit more or less, I haven't looked at slack space.) Thanks in advance for any comments. DS