cvs commit: src/sys/netinet ip_fw.h ip_fw2.c
Luigi Rizzo
luigi at FreeBSD.org
Wed Jul 16 00:09:18 PDT 2003
On Wed, Jul 16, 2003 at 09:04:49AM +0200, Dag-Erling Smørgrav wrote:
> Luigi Rizzo <luigi at FreeBSD.org> writes:
> > This implement a flexible form of "persistent rules" which you might
> > want to have available even after an "ipfw flush".
> > Note that this change does not violate POLA, because you could not
> > use set 31 in a ruleset before this change.
>
> This reminds me, is there a way to delete a keep-state rule without
> also deleting the dynamic rules it spawned?
no, in the current implementation the dynamic rule references the parent
to know what the action is.
What you _can_ do is disable the set containing the parent rule.
This will prevent the parent rule from matching (thus spawning new
rules) but will still allow the dynamic rule to match and do
the action specified.
[if anyone feels like adding the above comment to the ipfw manpage,
please do it]
cheers
luigi
More information about the cvs-src
mailing list