BSD: "ipfw add %d accept ip from any to any established"

With this rule, we don't interfere with already-established (or incoming) connections to routes that we're about to take over. This is what happens by default in Linux/iptables.
2025-01-31 02:33:43 +01:00 · 2010-05-07 20:06:26 -04:00 · 2010-05-07 20:06:26 -04:00 · 680941cb0c
commit 680941cb0c
parent 7043195043
1 changed files with 3 additions and 0 deletions
--- a/firewall.py
+++ b/firewall.py
@ -115,6 +115,9 @@ def do_ipfw(port, subnets):
    if subnets:
        sysctl_set('net.inet.ip.fw.enable', 1)
        sysctl_set('net.inet.ip.forwarding', 1)
+
+        ipfw('add', sport, 'accept', 'ip',
+             'from', 'any', 'to', 'any', 'established')
        
        # create new subnet entries
        for snet,swidth in subnets: