From owner-freebsd-current@FreeBSD.ORG Sat Nov 27 03:47:26 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74EDC16A4CE for ; Sat, 27 Nov 2004 03:47:26 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4950643D54 for ; Sat, 27 Nov 2004 03:47:26 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000298895.msg for ; Fri, 26 Nov 2004 19:23:30 -0800 From: "David Schwartz" To: "freebsd-current@FreeBSD. org" Date: Fri, 26 Nov 2004 19:47:00 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Fri, 26 Nov 2004 19:23:30 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-current@FreeBSD.org X-MDAV-Processed: mail1.webmaster.com, Fri, 26 Nov 2004 19:23:33 -0800 Subject: RE: Add creation time to dynamic firewall rules X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 03:47:26 -0000 Here it is, tested and working. There were two bugs in the previous post, pretty amazing for 7 lines of core. ;) Again, this patch adds the creation time to every dynamic firewall rule. This allows you to see how stable a connection is and to estimate the average bandwidth. A '-C' flag is added to 'ipfw' to display how much time since the rule was created rather than how long until it expires. The cost is 4 bytes per dynamic firewall rule. This is consumed kernel memory and copying when you dump the dynamic firewall rules. It also adds an extra computation when the rules are retrieved (to relativize the time, as is done with the expiration time). This patch is released under the FreeBSD license and I would like it to be considered for inclusion in the kernel. Patch is against 5_STABLE and should easily port to other streams. The version and time stamps are in the diff. Thanks. David Schwartz -- --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 +++ ip_fw.h Fri Nov 26 18:51:15 2004 @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { u_int64_t bcnt; /* byte match counter */ struct ipfw_flow_id id; /* (masked) flow id */ u_int32_t expire; /* expire time */ + u_int32_t created; /* creation time */ u_int32_t bucket; /* which bucket in hash table */ u_int32_t state; /* state of this rule (typically a * combination of TCP flags) --- ip_fw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ip_fw2.c Fri Nov 26 18:56:41 2004 @@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_ r->id = *id; r->expire = time_second + dyn_syn_lifetime; + r->created = time_second; r->rule = rule; r->dyn_type = dyn_type; r->pcnt = r->bcnt = 0; @@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain, dst->expire = TIME_LEQ(dst->expire, time_second) ? 0 : dst->expire - time_second ; + dst->created = + TIME_LEQ(time_second, dst->created) ? + 0 : time_second - dst->created; bp += sizeof(ipfw_dyn_rule); } } --- ipfw.8 1.150.2.4 2004/11/08 19:07:03 +++ ipfw.8 Fri Nov 26 18:59:20 2004 @@ -13,7 +13,7 @@ .Cm add .Ar rule .Nm -.Op Fl acdefnNStT +.Op Fl acCdefnNStT .Brq Cm list | show .Op Ar rule | first-last ... .Nm @@ -223,6 +223,10 @@ Implies When entering or showing rules, print them in compact form, i.e., without the optional "ip from any to any" string when this does not carry any additional information. +.It Fl C +When viewing dynamic firewall rules, print the number of +seconds since the rule was created rather than the number +of seconds until the rule expires. .It Fl d While listing, show dynamic rules in addition to static ones. .It Fl e --- ipfw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ipfw2.c Fri Nov 26 18:57:04 2004 @@ -67,6 +67,7 @@ int show_sets, /* display rule sets */ test_only, /* only check syntax */ comment_only, /* only print action and comment */ + show_created, /* show creation time */ verbose; #define IP_MASK_ALL 0xffffffff @@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi if (pcwidth>0 || bcwidth>0) printf(" %*llu %*llu (%ds)", pcwidth, align_uint64(&d->pcnt), bcwidth, - align_uint64(&d->bcnt), d->expire); + align_uint64(&d->bcnt), + show_created ? d->created : d->expire); switch (d->dyn_type) { case O_LIMIT_PARENT: printf(" PARENT %d", d->count); @@ -3843,7 +3845,7 @@ ipfw_main(int oldac, char **oldav) save_av = av; optind = optreset = 0; - while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcCdefhnNqs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; @@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav) case 'v': /* verbose */ verbose = 1; break; - + case 'C': /* created time */ + show_created = 1; + break; default: free_args(save_ac, save_av); return 1;