From owner-freebsd-current@FreeBSD.ORG  Sat Nov 27 03:20:17 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2B90C16A4CE
	for <freebsd-current@FreeBSD.org>;
	Sat, 27 Nov 2004 03:20:17 +0000 (GMT)
Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB28543D2F
	for <freebsd-current@FreeBSD.org>;
	Sat, 27 Nov 2004 03:20:16 +0000 (GMT)
	(envelope-from davids@webmaster.com)
Received: from however by webmaster.com
	(MDaemon.PRO.v7.1.0.R)
	with ESMTP id md50000298868.msg
	for <freebsd-current@FreeBSD.org>; Fri, 26 Nov 2004 18:56:14 -0800
From: "David Schwartz" <davids@webmaster.com>
To: "freebsd-current@FreeBSD. org" <freebsd-current@FreeBSD.org>
Date: Fri, 26 Nov 2004 19:19:51 -0800
Message-ID: <MDEHLPKNGKAHNMBLJOLKEEGCABAB.davids@webmaster.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
In-Reply-To: <MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids@webmaster.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Authenticated-Sender: joelkatz@webmaster.com
X-Spam-Processed: mail1.webmaster.com, Fri, 26 Nov 2004 18:56:14 -0800
	(not processed: message from trusted or authenticated source)
X-MDRemoteIP: 206.171.168.138
X-Return-Path: davids@webmaster.com
X-MDaemon-Deliver-To: freebsd-current@FreeBSD.org
X-MDAV-Processed: mail1.webmaster.com, Fri, 26 Nov 2004 18:56:18 -0800
Subject: RE: Add creation time to dynamic firewall rules
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: davids@webmaster.com
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2004 03:20:17 -0000


	Below is my first attempt at adding code to keep the creation time for
dynamic firewall rules. I also added a '-C' flag to 'ipfw' to show the
creation time instead of the expiration time. This code is released under
the same license as FreeBSD itself.

	Patch is against 5_STABLE, versions are in the diff entries. It is not yet
tested, though it looks right and it compiles.

	DS

--- ip_fw.h	1.89.2.2 2004/10/03 17:04:40
+++ ip_fw.h	Fri Nov 26 18:51:15 2004
@@ -353,6 +353,7 @@ struct _ipfw_dyn_rule {
 	u_int64_t	bcnt;		/* byte match counter		*/
 	struct ipfw_flow_id id;		/* (masked) flow id		*/
 	u_int32_t	expire;		/* expire time			*/
+	u_int32_t	created;	/* creation time		*/
 	u_int32_t	bucket;		/* which bucket in hash table	*/
 	u_int32_t	state;		/* state of this rule (typically a
 					 * combination of TCP flags)

--- ip_fw2.c	1.54.2.3 2004/09/17 14:49:08
+++ ip_fw2.c	Fri Nov 26 18:56:41 2004
@@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_

 	r->id = *id;
 	r->expire = time_second + dyn_syn_lifetime;
+	r->created = time_second;
 	r->rule = rule;
 	r->dyn_type = dyn_type;
 	r->pcnt = r->bcnt = 0;
@@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain,
 					dst->expire =
 					    TIME_LEQ(dst->expire, time_second) ?
 						0 : dst->expire - time_second ;
+					dst->created =
+					    TIME_LEQ(dst->created, time_second) ?
+					        0 : dst->created - time_second ;
 					bp += sizeof(ipfw_dyn_rule);
 				}
 			}

--- ipfw.8	1.150.2.4 2004/11/08 19:07:03
+++ ipfw.8	Fri Nov 26 18:59:20 2004
@@ -13,7 +13,7 @@
 .Cm add
 .Ar rule
 .Nm
-.Op Fl acdefnNStT
+.Op Fl acCdefnNStT
 .Brq Cm list | show
 .Op Ar rule | first-last ...
 .Nm
@@ -223,6 +223,10 @@ Implies
 When entering or showing rules, print them in compact form,
 i.e., without the optional "ip from any to any" string
 when this does not carry any additional information.
+.It Fl C
+When viewing dynamic firewall rules, print the number of
+seconds since the rule was created rather than the number
+of seconds until the rule expires.
 .It Fl d
 While listing, show dynamic rules in addition to static ones.
 .It Fl e

--- ipfw2.c	1.54.2.3 2004/09/17 14:49:08
+++ ipfw2.c	Fri Nov 26 18:57:04 2004
@@ -67,6 +67,7 @@ int
 		show_sets,		/* display rule sets */
 		test_only,		/* only check syntax */
 		comment_only,		/* only print action and comment */
+		show_created,		/* show creation time */
 		verbose;

 #define	IP_MASK_ALL	0xffffffff
@@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi
 	if (pcwidth>0 || bcwidth>0)
 	    printf(" %*llu %*llu (%ds)", pcwidth,
 		align_uint64(&d->pcnt), bcwidth,
-		align_uint64(&d->bcnt), d->expire);
+		align_uint64(&d->bcnt),
+		show_created ? d->created : d->expire);
 	switch (d->dyn_type) {
 	case O_LIMIT_PARENT:
 		printf(" PARENT %d", d->count);
@@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav)
 		case 'v': /* verbose */
 			verbose = 1;
 			break;
-
+		case 'C': /* created time */
+			show_created = 1;
+			break;
 		default:
 			free_args(save_ac, save_av);
 			return 1;