Date: Tue, 24 Sep 2002 23:01:59 +0000 From: "D. Penev" <dpenev@mail.bg> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Can IPFW keep state after a flush? Message-ID: <20020924230159.GA310@earth.dpsca.bg> In-Reply-To: <87n0q7l4ns.fsf@pooh.int> References: <87n0q7l4ns.fsf@pooh.int>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 24, 2002 at 11:43:19AM -0500, Kirk Strauser wrote: >To: freebsd-questions@freebsd.org >Subject: Can IPFW keep state after a flush? >From: Kirk Strauser <kirk@strauser.com> >Date: 24 Sep 2002 11:43:19 -0500 > >>From what I can tell, ipfw's 'flush' command clears the ruleset *and* the >current list of dynamic (keep-state) rules. Is there any way to ask ipfw = to >flush only the ruleset, but to leave the dynamic rules intact? Ideally, =46rom ip_fw.c: [snip] * Each dynamic rules holds a pointer to the parent ipfw rule so * we know what action to perform. Dynamic rules are removed when=20 * the parent rule is deleted. [snip] =46rom ip_fw2.c: * Each dynamic rule holds a pointer to the parent ipfw rule so * we know what action to perform. Dynamic rules are removed when * the parent rule is deleted. XXX we should make them survive. >ipfw could be made to compare the curreny dynamic rules against any new >rules that were added, which would allow a sysadmin to implement a new >ruleset on an already-running system without disturbing any current valid >connections. Is such a thing possible, or am I dreaming? >--=20 >Kirk Strauser >In Googlis non est, ergo non est. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message --=20 Regards, D. Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020924230159.GA310>