From owner-freebsd-ipfw@freebsd.org  Thu May 24 15:18:53 2018
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0541EF45F9
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Thu, 24 May 2018 15:18:53 +0000 (UTC)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 380BE716E6;
 Thu, 24 May 2018 15:18:52 +0000 (UTC)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1])
 by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w4OFIm2q041006;
 Thu, 24 May 2018 08:18:48 -0700 (PDT)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w4OFIm64041005;
 Thu, 24 May 2018 08:18:48 -0700 (PDT) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net>
Message-Id: <201805241518.w4OFIm64041005@pdx.rh.CN85.dnsmgr.net>
Subject: Re: Missing sysctl net.inet.ip.fw.dyn_keep_states on FreeBSD 11.2
In-Reply-To: <22feed0d6b659746619604cb20e2e091b79ca480.camel@gmail.com>
To: "[?Big5?]" <lantw44@gmail.com>
Date: Thu, 24 May 2018 08:18:48 -0700 (PDT)
CC: ae@freebsd.org, freebsd-ipfw@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 15:18:53 -0000

> Hello,
> 
> I upgraded my desktop system from FreeBSD 11.2-BETA1 last week, and I found the
> sysctl 'net.inet.ip.fw.dyn_keep_states' got removed. I upgraded it again to
> FreeBSD 11.2-BETA2 today, and I still could not find it. Currently I rely on
> both 'net.inet.ip.fw.default_to_accept=1' and 'net.inet.ip.fw.dyn_keep_states=1'
> to be able to reload firewall rules with 'service ipfw restart' without breaking
> existing TCP connections. As this sysctl variable is still mentioned in ipfw(8)
> man page, will it be brought back in future versions, or there will be an
> alternative solution for firewall rules reload?

As a follow up to this discusion, there has been a merge of code
into the stable/11 branch that should be in the 11.2-BETA3 build
that corrects this missing sysctl, could you please test this
build when it comes out and provide feed back to how it works
for you.

Thanks,
-- 
Rod Grimes                                                 rgrimes@freebsd.org