Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Nov 2004 13:12:28 -0800
From:      "David Schwartz" <davids@webmaster.com>
To:        "freebsd-current@FreeBSD. org" <freebsd-current@FreeBSD.org>
Subject:   RFC: Add creation time to dynamic firewall rules
Message-ID:  <MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids@webmaster.com>

next in thread | raw e-mail | index | archive | help

	FreeBSD does not keep track of the time a dynamic firewall was created in
the structure associated with that rule. It looks like it would take less
than an hour to code up a patch to keep this information and add a flag to
ipfw to display how many seconds old the rule is instead of the usage time.

	I want this addition for two reasons:

	1) Being able to know how old a connection is gives you important
information about its stability.

	2) By dividing the number of bytes by the connection age, you can
guesstimate the approximate bandwidth usage of the connection.

	I could easily make this change locally and maintain it as a local patch,
but would prefer to see it accepted into the general distribution. Does
anyone have any comments as to whether such a patch would be likely to be
accepted?

	The cost is, essentially, an extra 4 bytes for each dynamic firewall rule.
A large firewall might have 10,000 dynamic rules, which would be 40Kb. A
typical firewall might have 300, which would be 1Kb or so. (It might
actually be a bit more or less, I haven't looked at slack space.)

	Thanks in advance for any comments.

	DS




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids>