Missing sysctl net.inet.ip.fw.dyn_keep_states on FreeBSD 11.2
Jan Bramkamp
crest at rlwinm.de
Tue May 22 09:48:56 UTC 2018
On 21.05.18 16:39, Julian Elischer wrote:
> On 21/5/18 2:45 am, Andrey V. Elsukov wrote:
>> On 20.05.2018 11:00, 藍挺瑋 wrote:
>>> Hello,
>>>
>>> I upgraded my desktop system from FreeBSD 11.2-BETA1 last week, and I
>>> found the
>>> sysctl 'net.inet.ip.fw.dyn_keep_states' got removed. I upgraded it
>>> again to
>>> FreeBSD 11.2-BETA2 today, and I still could not find it. Currently I
>>> rely on
>>> both 'net.inet.ip.fw.default_to_accept=1' and
>>> 'net.inet.ip.fw.dyn_keep_states=1'
>>> to be able to reload firewall rules with 'service ipfw restart'
>>> without breaking
>>> existing TCP connections. As this sysctl variable is still mentioned
>>> in ipfw(8)
>>> man page, will it be brought back in future versions, or there will
>>> be an
>>> alternative solution for firewall rules reload?
>> Hi,
>>
>> I'll try to implement this feature in this new implementation and will
>> report back to you. Unfortunately, it will not appear in 11.2-RELEASE,
>> but I think it can be resurrected in 11.2-STABLE and 12.0-RELEASE.
>> I'm sorry about that.
>>
> I think a better idea would be to specify a rule number rather than just
> 1 or 0
>
> Or at least be more flexible.
>
> I use a lot of dynamic rules that have actions like 'skipto' or nat
It would be useful to make it part of the rule what should happen to its
dynamic rules on deletion. An other useful solution would be to make
part of the a sets semantics and offer the option to swap the rule
semantics atomically with rule set swaps to allow for ruleset updates
without losing state.
More information about the freebsd-ipfw
mailing list