Page MenuHomeFreeBSD

Implement net.inet.ip.fw.dyn_keep_states for all rule actions, not just for default_to_accept case
ClosedPublic

Authored by ae on Oct 12 2018, 12:13 PM.

Details

Summary

The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule.
So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid.
Also now it is possible to delete only specified dynamic states without touching static rules using -D flag with ipfw(8).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 20159
Build 19650: arc lint + arc unit

Event Timeline

Correct the size of allocated buffer to keep bitmask

added verbose mode for listing dynamic states
added ability to delete only dynamic states

ae added a reviewer: network.
This revision was not accepted when it landed; it landed in state Needs Review.Dec 4 2018, 4:03 PM
This revision was automatically updated to reflect the committed changes.