RFC: Add creation time to dynamic firewall rules
David Schwartz
davids at webmaster.com
Wed Nov 24 13:12:28 PST 2004
FreeBSD does not keep track of the time a dynamic firewall was created in
the structure associated with that rule. It looks like it would take less
than an hour to code up a patch to keep this information and add a flag to
ipfw to display how many seconds old the rule is instead of the usage time.
I want this addition for two reasons:
1) Being able to know how old a connection is gives you important
information about its stability.
2) By dividing the number of bytes by the connection age, you can
guesstimate the approximate bandwidth usage of the connection.
I could easily make this change locally and maintain it as a local patch,
but would prefer to see it accepted into the general distribution. Does
anyone have any comments as to whether such a patch would be likely to be
accepted?
The cost is, essentially, an extra 4 bytes for each dynamic firewall rule.
A large firewall might have 10,000 dynamic rules, which would be 40Kb. A
typical firewall might have 300, which would be 1Kb or so. (It might
actually be a bit more or less, I haven't looked at slack space.)
Thanks in advance for any comments.
DS
More information about the freebsd-current
mailing list