Add net.inet.ip.fw.dyn_keep_states sysctl which

re-links dynamic states to default rule instead of flushing on rule deletion. This can be useful while performing ruleset reload (think about `atomic` reload via changing sets). Currently it is turned off by default. MFC after: 2 weeks Sponsored by: Yandex LLC
author: melifaro <melifaro@FreeBSD.org> 2013-12-18 20:17:05 +0000
committer: melifaro <melifaro@FreeBSD.org> 2013-12-18 20:17:05 +0000
commit: ce16a97371169a2ff661ae838180ec527f383e52 (patch)
tree: ff26a5b2fef152bea4afc4464edccc687d0e1919 /sbin
parent: 2f0743dad34f9fe5f923cf3f0490c19d31fcb3cf (diff)
download: FreeBSD-src-ce16a97371169a2ff661ae838180ec527f383e52.zip
FreeBSD-src-ce16a97371169a2ff661ae838180ec527f383e52.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 65fa334..a3ac41d 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -2933,6 +2933,11 @@ and
 must be strictly lower than 5 seconds, the period of
 repetition of keepalives.
 The firewall enforces that.
+.It Va net.inet.ip.fw.dyn_keep_states: No 0
+Keep dynamic states on rule/set deletion.
+States are relinked to default rule (65535).
+This can be handly for ruleset reload.
+Turned off by default.
 .It Va net.inet.ip.fw.enable : No 1
 Enables the firewall.
 Setting this variable to 0 lets you run your machine without
author	melifaro <melifaro@FreeBSD.org>	2013-12-18 20:17:05 +0000
committer	melifaro <melifaro@FreeBSD.org>	2013-12-18 20:17:05 +0000
commit	ce16a97371169a2ff661ae838180ec527f383e52 (patch)
tree	ff26a5b2fef152bea4afc4464edccc687d0e1919 /sbin
parent	2f0743dad34f9fe5f923cf3f0490c19d31fcb3cf (diff)
download	FreeBSD-src-ce16a97371169a2ff661ae838180ec527f383e52.zip FreeBSD-src-ce16a97371169a2ff661ae838180ec527f383e52.tar.gz