IP Filter's utility program "ipfs" is supposed to save and restore IP Filter's internal state tables. By saving state tables at shutdown and restoring them at boot-time, already established connections aren't disconnected (or hang, depending on your rules). Fix: I've added a few new configuration parameters (ipfs_*) to etc/defaults/rc.conf that maybe overridden in etc/rc.conf: ipfs_enable, ipfs_flags, ipfs_program. The attached patches (against RELENG_4, but should also apply to CURRENT) also modify rc.network for restoring the state tables at boot-time. rc.shutdown saves the tables at shutdown-time. (is there a better place to put this?) Directory db/ipf was added to etc/mtree.var.dist. rc.conf(5) isn't ready yet but I'll happily provide patches to anyone who wants to commit this functionality. Note that PR bin/27063 (/sbin/ipfs missing) is a prerequisit. How-To-Repeat: (new functionality, thus no How-To-Repeat)
Responsible Changed From-To: freebsd-bugs->darrenr Over to the maintainer (and author) of the IPFilter suite.
State Changed From-To: open->feedback these changes have been applied to -current. updates for rc.conf and rc.conf(5) would be appreciated.
Arjan de Vet and Doug Barton have made patches to the FreeBSD rc system that should solve all of the known problems with IPFilter. Current and stable patches are available at the URL underneath. Please be so kind to: 1) Test the patches if they do work for you 2) mail your feedback to Arjan de Vet (devet@devet.org) 3) If al is worked out and Arjan has the patches committed, please update the PR. Url: http://home.iae.nl/users/devet/freebsd/
State Changed From-To: feedback->closed the patches for this change have been integrated.