ipfw managing rules - best practice?
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Oct 24 18:44:12 UTC 2018
On 24.10.2018 19:22, Ole wrote:
> # ipfw -d list
> (...)
> 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup keep-state :default
> (...)
> ## Dynamic rules (1 152):
> 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default
>
> # ipfw -q flush
>
> # ipfw -d list
> 65535 allow ip from any to any
> ## Dynamic rules (2 288):
> Segmentation fault (core dumped)
This problem is related to named states, the kernel doesn't dump list of
known states names, and this is the cause of SIGSEGV.
I have the WIP patch https://people.freebsd.org/~ae/keep_states.diff
It fixes this problem and also add support for all rule actions.
Also it adds new -D flag, that allows to show only states and delete
only states. I have tested it basically, but it probably needs some work
related to "limit" dynamic states.
So if you want to test some patches, you can try :)
I tried to apply the patch and observed that stable/11 has a small
difference in UMA code, so you need to use this patch:
https://people.freebsd.org/~ae/keep_states11.diff
Again, I did not yet teseted it widely, and on stable/11 did not tested
at all.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20181024/a051f5f4/attachment.sig>
More information about the freebsd-ipfw
mailing list