--- fwsync/patches/ip_fw_dynamic.patch 2022/06/22 13:01:55 1.1 +++ fwsync/patches/ip_fw_dynamic.patch 2022/08/03 17:10:59 1.2 @@ -1,15 +1,59 @@ diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c -index 7b5a7f60e49..a31e21050ad 100644 +index 00b54fa463a..871d7f565fe 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c -@@ -1959,6 +1959,10 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, +@@ -1868,6 +1868,7 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, + struct ipfw_flow_id id; + uint32_t hashval, parent_hashval, ruleid, rulenum; + int ret; ++ struct ipfw_dyn_hook_extdata edat; + + MPASS(type == O_LIMIT || type == O_KEEP_STATE); + +@@ -1959,6 +1960,15 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, #endif } } + -+ if (!ret && V_hook_state) -+ V_hook_state(pkt); ++ if (type == O_KEEP_STATE && !ret && V_hook_state) { ++ memset(&edat, 0, sizeof edat); ++ edat.ruleid = ruleid; ++ edat.rulenum = rulenum; ++ edat.fibnum = fibnum; ++ V_hook_state(pkt, &edat); ++ } + /* * EEXIST means that simultaneous thread has created this * state. Consider this as success. +@@ -1970,6 +1980,30 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, + return (ret); + } + ++int ++ipfw_dyn_install_sync_state(const struct ipfw_flow_id *pkt, void *rule, uint32_t ruleid, uint16_t rulenum) ++{ ++ int ret = 0; ++ uint32_t hashval; ++ struct ipfw_dyn_info info; ++ ++ DYN_INFO_INIT(&info); ++ ++ hashval = hash_packet(pkt); ++ if (IS_IP4_FLOW_ID(pkt)) ++ ret = dyn_add_ipv4_state(rule, ruleid, rulenum, pkt, ++ NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE); ++#ifdef INET6 ++ else if (IS_IP6_FLOW_ID(pkt)) ++ ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt, ++ pkt->flow_id6, NULL, 0, hashval, &info, pkt->fib, 0, O_KEEP_STATE); ++#endif /* INET6 */ ++ else ++ ret = EAFNOSUPPORT; ++ ++ return ret; ++} ++ + /* + * Install dynamic state. + * chain - ipfw's instance;