From owner-freebsd-ipfw@freebsd.org Mon May 21 14:39:53 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6213EF2B11 for ; Mon, 21 May 2018 14:39:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 840AA80089 for ; Mon, 21 May 2018 14:39:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (220-253-153-85.dyn.iinet.net.au [220.253.153.85] (may be forged)) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w4LEdkUZ019596 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 21 May 2018 07:39:49 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: Missing sysctl net.inet.ip.fw.dyn_keep_states on FreeBSD 11.2 To: "Andrey V. Elsukov" , =?UTF-8?B?6JeN5oy655GL?= Cc: freebsd-ipfw@freebsd.org References: <22feed0d6b659746619604cb20e2e091b79ca480.camel@gmail.com> <8f9ed115-a4ea-c8a2-795b-ce5e77046123@yandex.ru> From: Julian Elischer Message-ID: <34d30eca-bbb1-e0d0-3b7b-bc211421b665@freebsd.org> Date: Mon, 21 May 2018 22:39:38 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <8f9ed115-a4ea-c8a2-795b-ce5e77046123@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2018 14:39:53 -0000 On 21/5/18 2:45 am, Andrey V. Elsukov wrote: > On 20.05.2018 11:00, 藍ĉŒşç‘‹ wrote: >> Hello, >> >> I upgraded my desktop system from FreeBSD 11.2-BETA1 last week, and I found the >> sysctl 'net.inet.ip.fw.dyn_keep_states' got removed. I upgraded it again to >> FreeBSD 11.2-BETA2 today, and I still could not find it. Currently I rely on >> both 'net.inet.ip.fw.default_to_accept=1' and 'net.inet.ip.fw.dyn_keep_states=1' >> to be able to reload firewall rules with 'service ipfw restart' without breaking >> existing TCP connections. As this sysctl variable is still mentioned in ipfw(8) >> man page, will it be brought back in future versions, or there will be an >> alternative solution for firewall rules reload? > Hi, > > I'll try to implement this feature in this new implementation and will > report back to you. Unfortunately, it will not appear in 11.2-RELEASE, > but I think it can be resurrected in 11.2-STABLE and 12.0-RELEASE. > I'm sorry about that. > I think a better idea would be to specify a rule number rather than just 1 or 0 Or at least be more flexible. I use a lot of dynamic rules that have actions like 'skipto' or nat