diff options
| author | luigi <luigi@FreeBSD.org> | 2002-07-14 23:47:18 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2002-07-14 23:47:18 +0000 |
| commit | d3091fc32b111ebce3d5248653807320512d3ad5 (patch) | |
| tree | c1b91ae5b20f59ddafce067a163ee16bffddf0ab /sys/netinet/ip_fw.h | |
| parent | ef40393a593b05452846648116f467d3858d71db (diff) | |
| download | FreeBSD-src-d3091fc32b111ebce3d5248653807320512d3ad5.zip FreeBSD-src-d3091fc32b111ebce3d5248653807320512d3ad5.tar.gz | |
Implement keepalives for dynamic rules, so they will not expire
just because you leave your session idle.
Also, put in a fix for 64-bit architectures (to be revised).
In detail:
ip_fw.h
* Reorder fields in struct ip_fw to avoid alignment problems on
64-bit machines. This only masks the problem, I am still not
sure whether I am doing something wrong in the code or there
is a problem elsewhere (e.g. different aligmnent of structures
between userland and kernel because of pragmas etc.)
* added fields in dyn_rule to store ack numbers, so we can
generate keepalives when the dynamic rule is about to expire
ip_fw2.c
* use a local function, send_pkt(), to generate TCP RST for Reset rules;
* save about 250 bytes by cleaning up the various snprintf()
in ipfw_log() ...
* ... and use twice as many bytes to implement keepalives
(this seems to be working, but i have not tested it extensively).
Keepalives are generated once every 5 seconds for the last 20 seconds
of the lifetime of a dynamic rule for an established TCP flow. The
packets are sent to both sides, so if at least one of the endpoints
is responding, the timeout is refreshed and the rule will not expire.
You can disable this feature with
sysctl net.inet.ip.fw.dyn_keepalive=0
(the default is 1, to have them enabled).
MFC after: 1 day
(just kidding... I will supply an updated version of ipfw2 for
RELENG_4 tomorrow).
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 0213b27..4ea0c50 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -275,7 +275,8 @@ typedef struct _ipfw_insn_log { */ struct ip_fw { - struct ip_fw *next; /* linked list of rules */ + struct ip_fw *next; /* linked list of rules */ + struct ip_fw *next_rule; /* ptr to next [skipto] rule */ u_int16_t act_ofs; /* offset of action in 32-bit units */ u_int16_t cmd_len; /* # of 32-bit words in cmd */ u_int16_t rulenum; /* rule number */ @@ -286,8 +287,6 @@ struct ip_fw { u_int64_t bcnt; /* Byte counter */ u_int32_t timestamp; /* tv_sec of last match */ - struct ip_fw *next_rule; /* ptr to next rule */ - ipfw_insn cmd[1]; /* storage for commands */ }; @@ -327,6 +326,9 @@ struct _ipfw_dyn_rule { u_int32_t state; /* state of this rule (typically a * combination of TCP flags) */ + u_int32_t ack_fwd; /* most recent ACKs in forward */ + u_int32_t ack_rev; /* and reverse directions (used */ + /* to generate keepalives) */ u_int16_t dyn_type; /* rule type */ u_int16_t count; /* refcount */ }; |
