Page MenuHomeFreeBSD

Implement net.inet.ip.fw.dyn_keep_states for all rule actions, not just for default_to_accept case

Authored by ae on Oct 12 2018, 12:13 PM.
Referenced Files
F77871252: D17532.id49054.diff
Sat, Feb 24, 4:17 PM
Unknown Object (File)
Dec 23 2023, 1:56 AM
Unknown Object (File)
Dec 21 2023, 1:54 AM
Unknown Object (File)
Nov 18 2023, 9:55 AM
Unknown Object (File)
Nov 18 2023, 9:27 AM
Unknown Object (File)
Nov 18 2023, 4:38 AM
Unknown Object (File)
Nov 18 2023, 4:36 AM
Unknown Object (File)
Nov 18 2023, 4:20 AM



The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule.
So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid.
Also now it is possible to delete only specified dynamic states without touching static rules using -D flag with ipfw(8).

Diff Detail

rS FreeBSD src repository - subversion
Lint Passed
No Test Coverage
Build Status
Buildable 20159
Build 19650: arc lint + arc unit

Event Timeline

Correct the size of allocated buffer to keep bitmask

added verbose mode for listing dynamic states
added ability to delete only dynamic states

ae added a reviewer: network.
This revision was not accepted when it landed; it landed in state Needs Review.Dec 4 2018, 4:03 PM
This revision was automatically updated to reflect the committed changes.