Sebastien Petit ([EMAIL PROTECTED]) was heard to say: >I found your patches for 5.0-CURRENT, I will update it for 4.4 and 4.5, >thank you Crist. >Will this patch be commited in 5.0-RELEASE or perhaps 4.6 ? I think >this is a good functionnality imho. > >-- >Sebastien Petit >[EMAIL PROTECTED] >The HUT Project >http://www.bsdshell.net/ >
I wrote an ipfw patch set available for 4.4-RELEASE through 4.5-STABLE, and even a very few versions of -CURRENT that addes a "lifetime <number>" feature to ipfw. By default, it overrides the dyn_ack_lifetime timeout for TCP rules, the dyn_udp_lifetime for UDP rules, and dyn_short_lifetime for all other IP rules that use it (keepstate rules, that is). The patch set includes a man page patch explaining the addition. The latest versions of the set are available at: http://www.aarongifford.com/computers/ipfwpatch.html I have used this functionality on MANY of the FreeBSD systems I admin. since June of 2000 when I first created the patches and posted them (see the freebsd-net archive for the archaic versions thereof). The above web page has versions of the patch set for 4.4-RELEASE, 4.5-RELEASE, several different 4.X-STABLE versions, and even 1 or 2 -CURRENT versions (though those are getting old). There are two open PRs (Oops! There should be only one - someone can freely merge these if they want.) in hopes of getting this (or similar) functionality included in the source tree: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/28713 http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/22065 Memory wise, the patches only increase memory use in the dynamic rules (a single unsigned short), using a union to store the information in the main ruleset since for keep-state rules the union in question was not in use (or so I believe - no one has told me otherwise, I can't see a problem, and I haven't yet heard of any trouble - if there ever was trouble, it would be easy to move the field out of the union). >On 2002.01.26 02:53 Crist J. Clark wrote: >> On Fri, Jan 25, 2002 at 11:39:29AM -0800, Luigi Rizzo wrote: >> > there were patches floating around for something similar. >> > >> > cheers >> > luigi >> > >> > On Fri, Jan 25, 2002 at 05:28:38PM +0100, Sebastien Petit wrote: >> > > Hi, >> > > >> > > Is there a way to set per keep-state rule timeout ? >> > > I want to have a little ack timeout for connection to mysql database tcp 3306 but a long ack timeout for other rules. >> > > if not perhaps this syntax can be implemented on ipfw code, for example: >> > > ipfw add ... keepstate setup timeout-ack 3600 >> > > or >> > > ipfw add ... keepstate setup timeout-syn 50 Now that's an intriguing idea, adding per-rule options that are a bit more specific than just modifying dyn_ack_lifetime for TCP, dyn_udp_lifetime for UDP, and dyn_short_lifetime for others. Your syntax (or a variation thereof) could be used to give even tighter control over per-rule timeouts (at the small expense of more memory used to store those per-rule timeouts). >> > > >> > > Perhaps I can do this stuff if there are no objections ? >> >> I've got CURRENT patches to do this at the site in the .sig. My STABLE >> ones bitrotted (the CURRENT ones might be pass the sell-by date >> too). But I could redo them if there is interest. >> -- >> Crist J. Clark | [EMAIL PROTECTED] >> | [EMAIL PROTECTED] >> http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED] >> >> To Unsubscribe: send mail to [EMAIL PROTECTED] >> with "unsubscribe freebsd-net" in the body of the message >> I too would love to see per-rule expiration control added to FreeBSD's excellent ipfw filter. Aaron out. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
