svn commit: r259568 - in head: sbin/ipfw sys/netpfil/ipfw

Alexander V. Chernikov melifaro at FreeBSD.org
Wed Dec 18 20:17:06 UTC 2013 

Author: melifaro
Date: Wed Dec 18 20:17:05 2013
New Revision: 259568
URL: http://svnweb.freebsd.org/changeset/base/259568

Log:
  Add net.inet.ip.fw.dyn_keep_states sysctl which
  re-links dynamic states to default rule instead of
  flushing on rule deletion.
  This can be useful while performing ruleset reload
  (think about `atomic` reload via changing sets).
  Currently it is turned off by default.
  
  MFC after:	2 weeks
  Sponsored by:	Yandex LLC

Modified:
  head/sbin/ipfw/ipfw.8
  head/sys/netpfil/ipfw/ip_fw_dynamic.c

Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8	Wed Dec 18 20:11:01 2013	(r259567)
+++ head/sbin/ipfw/ipfw.8	Wed Dec 18 20:17:05 2013	(r259568)
@@ -2933,6 +2933,11 @@ and
 must be strictly lower than 5 seconds, the period of
 repetition of keepalives.
 The firewall enforces that.
+.It Va net.inet.ip.fw.dyn_keep_states: No 0
+Keep dynamic states on rule/set deletion.
+States are relinked to default rule (65535).
+This can be handly for ruleset reload.
+Turned off by default.
 .It Va net.inet.ip.fw.enable : No 1
 Enables the firewall.
 Setting this variable to 0 lets you run your machine without

Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_dynamic.c	Wed Dec 18 20:11:01 2013	(r259567)
+++ head/sys/netpfil/ipfw/ip_fw_dynamic.c	Wed Dec 18 20:17:05 2013	(r259568)
@@ -106,7 +106,8 @@ __FBSDID("$FreeBSD$");
  *
  * Each dynamic rule holds a pointer to the parent ipfw rule so
  * we know what action to perform. Dynamic rules are removed when
- * the parent rule is deleted. XXX we should make them survive.
+ * the parent rule is deleted. This can be changed by dyn_keep_states
+ * sysctl.
  *
  * There are some limitations with dynamic rules -- we do not
  * obey the 'randomized match', and we do not do multiple
@@ -141,6 +142,10 @@ static VNET_DEFINE(uma_zone_t, ipfw_dyn_
 #define	IPFW_BUCK_UNLOCK(i)	mtx_unlock(&V_ipfw_dyn_v[(i)].mtx)
 #define	IPFW_BUCK_ASSERT(i)	mtx_assert(&V_ipfw_dyn_v[(i)].mtx, MA_OWNED)
 
+
+static VNET_DEFINE(int, dyn_keep_states);
+#define	V_dyn_keep_states		VNET(dyn_keep_states)
+
 /*
  * Timeouts for various events in handing dynamic rules.
  */
@@ -234,6 +239,9 @@ SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AU
 SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive,
     CTLFLAG_RW, &VNET_NAME(dyn_keepalive), 0,
     "Enable keepalives for dyn. rules");
+SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_keep_states,
+    CTLFLAG_RW, &VNET_NAME(dyn_keep_states), 0,
+    "Do not flush dynamic states on rule deletion");
 
 SYSEND
 
@@ -307,6 +315,7 @@ print_dyn_rule_flags(struct ipfw_flow_id
 	print_dyn_rule_flags(id, dtype, LOG_DEBUG, prefix, postfix)
 
 #define TIME_LEQ(a,b)       ((int)((a)-(b)) <= 0)
+#define TIME_LE(a,b)       ((int)((a)-(b)) < 0)
 
 /*
  * Lookup a dynamic rule, locked version.
@@ -1100,6 +1109,20 @@ check_dyn_rules(struct ip_fw_chain *chai
 			if ((TIME_LEQ(q->expire, time_uptime)) ||
 			    ((rule != NULL) && (q->rule == rule)) ||
 			    ((set != RESVD_SET) && (q->rule->set == set))) {
+				if (TIME_LE(time_uptime, q->expire) &&
+				    q->dyn_type == O_KEEP_STATE &&
+				    V_dyn_keep_states != 0) {
+					/*
+					 * Do not delete state if
+					 * it is not expired and
+					 * dyn_keep_states is ON.
+					 * However we need to re-link it
+					 * to any other stable rule
+					 */
+					q->rule = chain->default_rule;
+					NEXT_RULE();
+				}
+
 				/* Unlink q from current list */
 				q_next = q->next;
 				if (q == V_ipfw_dyn_v[i].head)

More information about the svn-src-all mailing list