Missing sysctl net.inet.ip.fw.dyn_keep_states on FreeBSD 11.2
Julian Elischer
julian at freebsd.org
Mon May 21 14:39:53 UTC 2018
On 21/5/18 2:45 am, Andrey V. Elsukov wrote:
> On 20.05.2018 11:00, 藍挺瑋 wrote:
>> Hello,
>>
>> I upgraded my desktop system from FreeBSD 11.2-BETA1 last week, and I found the
>> sysctl 'net.inet.ip.fw.dyn_keep_states' got removed. I upgraded it again to
>> FreeBSD 11.2-BETA2 today, and I still could not find it. Currently I rely on
>> both 'net.inet.ip.fw.default_to_accept=1' and 'net.inet.ip.fw.dyn_keep_states=1'
>> to be able to reload firewall rules with 'service ipfw restart' without breaking
>> existing TCP connections. As this sysctl variable is still mentioned in ipfw(8)
>> man page, will it be brought back in future versions, or there will be an
>> alternative solution for firewall rules reload?
> Hi,
>
> I'll try to implement this feature in this new implementation and will
> report back to you. Unfortunately, it will not appear in 11.2-RELEASE,
> but I think it can be resurrected in 11.2-STABLE and 12.0-RELEASE.
> I'm sorry about that.
>
I think a better idea would be to specify a rule number rather than
just 1 or 0
Or at least be more flexible.
I use a lot of dynamic rules that have actions like 'skipto' or nat
More information about the freebsd-ipfw
mailing list