Here it is, tested and working. There were two bugs in the previous post, pretty amazing for 7 lines of core. ;) Again, this patch adds the creation time to every dynamic firewall rule. This allows you to see how stable a connection is and to estimate the average bandwidth. A '-C' flag is added to 'ipfw' to display how much time since the rule was created rather than how long until it expires. The cost is 4 bytes per dynamic firewall rule. This is consumed kernel memory and copying when you dump the dynamic firewall rules. It also adds an extra computation when the rules are retrieved (to relativize the time, as is done with the expiration time). This patch is released under the FreeBSD license and I would like it to be considered for inclusion in the kernel. Patch is against 5_STABLE and should easily port to other streams. The version and time stamps are in the diff. Thanks. David Schwartz -- --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 +++ ip_fw.h Fri Nov 26 18:51:15 2004 _at__at_ -353,6 +353,7 _at__at_ struct _ipfw_dyn_rule { u_int64_t bcnt; /* byte match counter */ struct ipfw_flow_id id; /* (masked) flow id */ u_int32_t expire; /* expire time */ + u_int32_t created; /* creation time */ u_int32_t bucket; /* which bucket in hash table */ u_int32_t state; /* state of this rule (typically a * combination of TCP flags) --- ip_fw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ip_fw2.c Fri Nov 26 18:56:41 2004 _at__at_ -1037,6 +1037,7 _at__at_ add_dyn_rule(struct ipfw_flow_id *id, u_ r->id = *id; r->expire = time_second + dyn_syn_lifetime; + r->created = time_second; r->rule = rule; r->dyn_type = dyn_type; r->pcnt = r->bcnt = 0; _at__at_ -3089,6 +3090,9 _at__at_ ipfw_getrules(struct ip_fw_chain *chain, dst->expire = TIME_LEQ(dst->expire, time_second) ? 0 : dst->expire - time_second ; + dst->created = + TIME_LEQ(time_second, dst->created) ? + 0 : time_second - dst->created; bp += sizeof(ipfw_dyn_rule); } } --- ipfw.8 1.150.2.4 2004/11/08 19:07:03 +++ ipfw.8 Fri Nov 26 18:59:20 2004 _at__at_ -13,7 +13,7 _at__at_ .Cm add .Ar rule .Nm -.Op Fl acdefnNStT +.Op Fl acCdefnNStT .Brq Cm list | show .Op Ar rule | first-last ... .Nm _at__at_ -223,6 +223,10 _at__at_ Implies When entering or showing rules, print them in compact form, i.e., without the optional "ip from any to any" string when this does not carry any additional information. +.It Fl C +When viewing dynamic firewall rules, print the number of +seconds since the rule was created rather than the number +of seconds until the rule expires. .It Fl d While listing, show dynamic rules in addition to static ones. .It Fl e --- ipfw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ipfw2.c Fri Nov 26 18:57:04 2004 _at__at_ -67,6 +67,7 _at__at_ int show_sets, /* display rule sets */ test_only, /* only check syntax */ comment_only, /* only print action and comment */ + show_created, /* show creation time */ verbose; #define IP_MASK_ALL 0xffffffff _at__at_ -1367,7 +1368,8 _at__at_ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi if (pcwidth>0 || bcwidth>0) printf(" %*llu %*llu (%ds)", pcwidth, align_uint64(&d->pcnt), bcwidth, - align_uint64(&d->bcnt), d->expire); + align_uint64(&d->bcnt), + show_created ? d->created : d->expire); switch (d->dyn_type) { case O_LIMIT_PARENT: printf(" PARENT %d", d->count); _at__at_ -3843,7 +3845,7 _at__at_ ipfw_main(int oldac, char **oldav) save_av = av; optind = optreset = 0; - while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcCdefhnNqs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; _at__at_ -3906,7 +3908,9 _at__at_ ipfw_main(int oldac, char **oldav) case 'v': /* verbose */ verbose = 1; break; - + case 'C': /* created time */ + show_created = 1; + break; default: free_args(save_ac, save_av); return 1;Received on Sat Nov 27 2004 - 02:47:26 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:23 UTC