Date: Wed, 24 Nov 2004 13:12:28 -0800 From: "David Schwartz" <davids@webmaster.com> To: "freebsd-current@FreeBSD. org" <freebsd-current@FreeBSD.org> Subject: RFC: Add creation time to dynamic firewall rules Message-ID: <MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids@webmaster.com>
next in thread | raw e-mail | index | archive | help
FreeBSD does not keep track of the time a dynamic firewall was created in the structure associated with that rule. It looks like it would take less than an hour to code up a patch to keep this information and add a flag to ipfw to display how many seconds old the rule is instead of the usage time. I want this addition for two reasons: 1) Being able to know how old a connection is gives you important information about its stability. 2) By dividing the number of bytes by the connection age, you can guesstimate the approximate bandwidth usage of the connection. I could easily make this change locally and maintain it as a local patch, but would prefer to see it accepted into the general distribution. Does anyone have any comments as to whether such a patch would be likely to be accepted? The cost is, essentially, an extra 4 bytes for each dynamic firewall rule. A large firewall might have 10,000 dynamic rules, which would be 40Kb. A typical firewall might have 300, which would be 1Kb or so. (It might actually be a bit more or less, I haven't looked at slack space.) Thanks in advance for any comments. DS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids>