Page MenuHomeFreeBSD
Differential D17532

Implement net.inet.ip.fw.dyn_keep_states for all rule actions, not just for default_to_accept case
ClosedPublic
Actions

Authored by ae on Oct 12 2018, 12:13 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 14, 2:12 PM
Unknown Object (File)
Tue, Nov 12, 1:34 AM
Unknown Object (File)
Sun, Nov 3, 11:53 AM
Unknown Object (File)
Oct 17 2024, 2:09 AM
Unknown Object (File)
Oct 10 2024, 1:30 AM
Unknown Object (File)
Oct 7 2024, 5:10 PM
Unknown Object (File)
Oct 4 2024, 5:25 AM
Unknown Object (File)
Sep 27 2024, 2:41 AM
View All 59 Files
Subscribers
imp

Details

Reviewers
melifaro
Group Reviewers
manpages
network
Commits
rS341471: Reimplement how net.inet.ip.fw.dyn_keep_states works.
Summary

The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule.
So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid.
Also now it is possible to delete only specified dynamic states without touching static rules using -D flag with ipfw(8).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ae created this revision.Oct 12 2018, 12:13 PM
Herald added a subscriber: imp. · View Herald TranscriptOct 12 2018, 12:13 PM
Harbormaster completed remote builds in B20158: Diff 49053.Oct 12 2018, 12:13 PM
ae updated this revision to Diff 49054.Oct 12 2018, 12:20 PM

Correct the size of allocated buffer to keep bitmask

Harbormaster completed remote builds in B20159: Diff 49054.Oct 12 2018, 12:20 PM
ae updated this revision to Diff 50362.Nov 13 2018, 1:04 PM

added verbose mode for listing dynamic states
added ability to delete only dynamic states

Herald added a reviewer: manpages. · View Herald TranscriptNov 13 2018, 1:04 PM
Harbormaster completed remote builds in B20784: Diff 50362.Nov 13 2018, 1:04 PM
ae edited the summary of this revision. (Show Details)Nov 13 2018, 1:06 PM
ae added a reviewer: network.
This revision was not accepted when it landed; it landed in state Needs Review.Dec 4 2018, 4:03 PM
Closed by commit rS341471: Reimplement how net.inet.ip.fw.dyn_keep_states works. (authored by ae). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
netpfil/
ipfw/
209 lines
117 lines
33 lines
201 lines
nat64/
1 line
1 line
nptv6/
1 line

Diff 51582

View Options

head/sys/netpfil/ipfw/ip_fw_dynamic.c

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_eaction.c

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_private.h

Loading...
View Options

head/sys/netpfil/ipfw/ip_fw_sockopt.c

Loading...
View Options

head/sys/netpfil/ipfw/nat64/nat64lsn_control.c

Loading...
View Options

head/sys/netpfil/ipfw/nat64/nat64stl_control.c

Loading...
View Options

head/sys/netpfil/ipfw/nptv6/nptv6.c

Loading...