Add creation time to dynamic firewall rules

David Schwartz davids at webmaster.com
Fri Nov 26 19:20:17 PST 2004 

	Below is my first attempt at adding code to keep the creation time for
dynamic firewall rules. I also added a '-C' flag to 'ipfw' to show the
creation time instead of the expiration time. This code is released under
the same license as FreeBSD itself.

	Patch is against 5_STABLE, versions are in the diff entries. It is not yet
tested, though it looks right and it compiles.

	DS

--- ip_fw.h	1.89.2.2 2004/10/03 17:04:40
+++ ip_fw.h	Fri Nov 26 18:51:15 2004
@@ -353,6 +353,7 @@ struct _ipfw_dyn_rule {
 	u_int64_t	bcnt;		/* byte match counter		*/
 	struct ipfw_flow_id id;		/* (masked) flow id		*/
 	u_int32_t	expire;		/* expire time			*/
+	u_int32_t	created;	/* creation time		*/
 	u_int32_t	bucket;		/* which bucket in hash table	*/
 	u_int32_t	state;		/* state of this rule (typically a
 					 * combination of TCP flags)

--- ip_fw2.c	1.54.2.3 2004/09/17 14:49:08
+++ ip_fw2.c	Fri Nov 26 18:56:41 2004
@@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_

 	r->id = *id;
 	r->expire = time_second + dyn_syn_lifetime;
+	r->created = time_second;
 	r->rule = rule;
 	r->dyn_type = dyn_type;
 	r->pcnt = r->bcnt = 0;
@@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain,
 					dst->expire =
 					    TIME_LEQ(dst->expire, time_second) ?
 						0 : dst->expire - time_second ;
+					dst->created =
+					    TIME_LEQ(dst->created, time_second) ?
+					        0 : dst->created - time_second ;
 					bp += sizeof(ipfw_dyn_rule);
 				}
 			}

--- ipfw.8	1.150.2.4 2004/11/08 19:07:03
+++ ipfw.8	Fri Nov 26 18:59:20 2004
@@ -13,7 +13,7 @@
 .Cm add
 .Ar rule
 .Nm
-.Op Fl acdefnNStT
+.Op Fl acCdefnNStT
 .Brq Cm list | show
 .Op Ar rule | first-last ...
 .Nm
@@ -223,6 +223,10 @@ Implies
 When entering or showing rules, print them in compact form,
 i.e., without the optional "ip from any to any" string
 when this does not carry any additional information.
+.It Fl C
+When viewing dynamic firewall rules, print the number of
+seconds since the rule was created rather than the number
+of seconds until the rule expires.
 .It Fl d
 While listing, show dynamic rules in addition to static ones.
 .It Fl e

--- ipfw2.c	1.54.2.3 2004/09/17 14:49:08
+++ ipfw2.c	Fri Nov 26 18:57:04 2004
@@ -67,6 +67,7 @@ int
 		show_sets,		/* display rule sets */
 		test_only,		/* only check syntax */
 		comment_only,		/* only print action and comment */
+		show_created,		/* show creation time */
 		verbose;

 #define	IP_MASK_ALL	0xffffffff
@@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi
 	if (pcwidth>0 || bcwidth>0)
 	    printf(" %*llu %*llu (%ds)", pcwidth,
 		align_uint64(&d->pcnt), bcwidth,
-		align_uint64(&d->bcnt), d->expire);
+		align_uint64(&d->bcnt),
+		show_created ? d->created : d->expire);
 	switch (d->dyn_type) {
 	case O_LIMIT_PARENT:
 		printf(" PARENT %d", d->count);
@@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav)
 		case 'v': /* verbose */
 			verbose = 1;
 			break;
-
+		case 'C': /* created time */
+			show_created = 1;
+			break;
 		default:
 			free_args(save_ac, save_av);
 			return 1;

More information about the freebsd-current mailing list