Hello,
i'm sorry, in the old ipfilter version the fr_ref is also increased, but
already in the
fr_addstate function.
The subject of this thread is not anymore correct, because by flushing the
rules with ipf -Fa,
also rules which have a state will be removed.
But the problem is, if I remove rules by ipf -r.
The reasons for this is in file fil.c in function frrequest() line 4240:
/*
* Only return EBUSY if there is a group list, else
* it's probably just state information referencing
* the rule.
*/
if (f->fr_ref > 1) {
error = EBUSY;
goto done;
}
in an older implementation there was:
/*
* Return EBUSY if the rule is being reference by
* something else (eg state information.
*/
if ((f->fr_ref > 1) && f->fr_grp && *(f->fr_grp))
return EBUSY;
Anybody know why this change was made?
Thanks
Peter
-----Ursprüngliche Nachricht-----
Von: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au]Im Auftrag von Peter Jordan
Gesendet: Montag, 29. Januar 2007 16:06
An: 'ipfilter@coombs.anu.edu.au'
Betreff: ipfilter: flushing of Rules
Hello,
we use ipfilter as firewall with NetBSD 3.0 and IP Filter: v4.1.8 (396).
In an older Version (2001/2002) we ported for windows, it is possible to
delete Rules for which exists a state. In the new version it is not anymore
possible because fr_ref is increased in function fr_stinsert (ip_state.c).
Is this change correct. If yes what are the reasons for? For me it is much
better if we can remove rules for which a state exists.
Best regards
Peter
|