Change Details

The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule. So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid. TODO: add ability to forcible delete orphaned states.

The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule. So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid. Also now it is possible to delete only specified dynamic states without touching static rules using -D flag with ipfw(8).

The net.inet.ip.fw.dyn_keep_states sysctl variable allows to keep dynamic states when parent rule is deleted. But it works only when the default rule is "allow from any to any". The proposed patch reworks this. Now when rule with dynamic opcode is going to be deleted, and net.inet.ip.fw.dyn_keep_states is enabled, existing states will reference named objects, corresponding to this rule, and also reference the rule. So, when ipfw_dyn_lookup_state() will find state for deleted parent rule, it will return the pointer to the deleted rule, that is still valid. TODO: add ability to forcible delete orphanedAlso now it is possible to delete only specified dynamic states without touching statesic rules using -D flag with ipfw(8).