Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 May 2018 11:48:50 +0200
From:      Jan Bramkamp <crest@rlwinm.de>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Missing sysctl net.inet.ip.fw.dyn_keep_states on FreeBSD 11.2
Message-ID:  <47b9dae6-854f-4cfd-c2e9-34e9fc7878e0@rlwinm.de>
In-Reply-To: <34d30eca-bbb1-e0d0-3b7b-bc211421b665@freebsd.org>
References:  <22feed0d6b659746619604cb20e2e091b79ca480.camel@gmail.com> <8f9ed115-a4ea-c8a2-795b-ce5e77046123@yandex.ru> <34d30eca-bbb1-e0d0-3b7b-bc211421b665@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 21.05.18 16:39, Julian Elischer wrote:
> On 21/5/18 2:45 am, Andrey V. Elsukov wrote:
>> On 20.05.2018 11:00, 藍ĉŒşç‘‹ wrote:
>>> Hello,
>>>
>>> I upgraded my desktop system from FreeBSD 11.2-BETA1 last week, and I 
>>> found the
>>> sysctl 'net.inet.ip.fw.dyn_keep_states' got removed. I upgraded it 
>>> again to
>>> FreeBSD 11.2-BETA2 today, and I still could not find it. Currently I 
>>> rely on
>>> both 'net.inet.ip.fw.default_to_accept=1' and 
>>> 'net.inet.ip.fw.dyn_keep_states=1'
>>> to be able to reload firewall rules with 'service ipfw restart' 
>>> without breaking
>>> existing TCP connections. As this sysctl variable is still mentioned 
>>> in ipfw(8)
>>> man page, will it be brought back in future versions, or there will 
>>> be an
>>> alternative solution for firewall rules reload?
>> Hi,
>>
>> I'll try to implement this feature in this new implementation and will
>> report back to you. Unfortunately, it will not appear in 11.2-RELEASE,
>> but I think it can be resurrected in 11.2-STABLE and 12.0-RELEASE.
>> I'm sorry about that.
>>
> I think a better idea would be to specify a rule number rather than just 
> 1 or 0
> 
> Or at least be more flexible.
> 
> I use a lot of dynamic rules that have actions like 'skipto' or nat

It would be useful to make it part of the rule what should happen to its 
dynamic rules on deletion. An other useful solution would be to make 
part of the a sets semantics and offer the option to swap the rule 
semantics atomically with rule set swaps to allow for ruleset updates 
without losing state.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47b9dae6-854f-4cfd-c2e9-34e9fc7878e0>