The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule.
So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid.
Also now it is possible to delete only specified dynamic states without touching static rules using -D flag with ipfw(8).
Details
Details
- Reviewers
melifaro - Group Reviewers
manpages network - Commits
- rS341471: Reimplement how net.inet.ip.fw.dyn_keep_states works.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 20158 Build 19649: arc lint + arc unit
Event Timeline
Comment Actions
added verbose mode for listing dynamic states
added ability to delete only dynamic states