The basic problem: dynamic states from stateful rules will disappear when the stateful rule gets deleted, and then the connection breaks.
So when updating the rules, I did resort to moving the old rules into some unused and inactive set, where they can linger, and so the currents sessions will not break/logout.
But that is not a really good solution - it bloats with old rules, and it does not work with NPTv6, or with net.inet.ip.fw.tables_sets=1.
So, there is an alternative: with net.inet.ip.fw.dyn_keep_states=1 the same should be achived even when deleting the old rules.
The problem is: it does not work: the dynamich states are indeed kept on rule deletion (and are visible with
Looking into the code finally explains the phenomenon:
Ah yeah. So, the dynamic rules do continue to work - but then, after matching, they will go to 65535 and be silently discarded.
It seems, by just removing that line from the code, things start to work rather as as expected, that is: after matching the dynamic state, the packet will continue at the place of the next rule behind the one setting the dynamic state - no matter if that rule is still there or not.
So when updating the rules, I did resort to moving the old rules into some unused and inactive set, where they can linger, and so the currents sessions will not break/logout.
But that is not a really good solution - it bloats with old rules, and it does not work with NPTv6, or with net.inet.ip.fw.tables_sets=1.
So, there is an alternative: with net.inet.ip.fw.dyn_keep_states=1 the same should be achived even when deleting the old rules.
The problem is: it does not work: the dynamich states are indeed kept on rule deletion (and are visible with
ipfw -d), and the packets are well matches by them, but then the packets seem to disappear into thin air! They are neither logged from some deny rule nor transmitted anywhere.Looking into the code finally explains the phenomenon:
Code:
* In case when dyn_keep_states is enabled, return
* pointer to deleted rule and f_pos value
* corresponding to penultimate rule.
* When we have enabled V_dyn_keep_states, states
* that become orphaned will get the DYN_REFERENCED
* flag and rule will keep around. So we can return
* it. But since it is not in the rules map, we need
* return such f_pos value, so after the state
* handling if the search will continue, the next rule
* will be the last one - the default rule.Ah yeah. So, the dynamic rules do continue to work - but then, after matching, they will go to 65535 and be silently discarded.
It seems, by just removing that line from the code, things start to work rather as as expected, that is: after matching the dynamic state, the packet will continue at the place of the next rule behind the one setting the dynamic state - no matter if that rule is still there or not.