Date: Wed, 16 Jul 2003 00:09:14 -0700 From: Luigi Rizzo <luigi@FreeBSD.org> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c Message-ID: <20030716000913.A1936@xorpc.icir.org> In-Reply-To: <xzpn0ffrlym.fsf@dwp.des.no>; from des@des.no on Wed, Jul 16, 2003 at 09:04:49AM %2B0200 References: <200307152307.h6FN7YcT018837@repoman.freebsd.org> <xzpn0ffrlym.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 16, 2003 at 09:04:49AM +0200, Dag-Erling Smørgrav wrote: > Luigi Rizzo <luigi@FreeBSD.org> writes: > > This implement a flexible form of "persistent rules" which you might > > want to have available even after an "ipfw flush". > > Note that this change does not violate POLA, because you could not > > use set 31 in a ruleset before this change. > > This reminds me, is there a way to delete a keep-state rule without > also deleting the dynamic rules it spawned? no, in the current implementation the dynamic rule references the parent to know what the action is. What you _can_ do is disable the set containing the parent rule. This will prevent the parent rule from matching (thus spawning new rules) but will still allow the dynamic rule to match and do the action specified. [if anyone feels like adding the above comment to the ipfw manpage, please do it] cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030716000913.A1936>