DataPlane emits a state record for each network packet matched against a firewall rule marked with a keepstate keyword.
Such state records are cleared up by GC after some period of inactivity configured stateful_firewall_tcp_timeout in case of a tcp session.
So there is no way to manage session lifetime depending either on its state (half-open, closed, etc) or source or destination.
There are following major directions to resolve the issue:
To implement more configuration options setting the GC behavior up, they could be configured statically using configuration file or dynamically using CLI/whatever else
To extend IPFW keepstate syntax with desired timeout of a state record to be emitted
To extend IPFW syntax with a non-terminating rule setting the default timeout for all following keepstate statement
However, all the directions do not contradict each other and may be implemented simultaneously.
DataPlane emits a state record for each network packet matched against a firewall rule marked with a
keepstate
keyword. Such state records are cleared up by GC after some period of inactivity configuredstateful_firewall_tcp_timeout
in case of a tcp session. So there is no way to manage session lifetime depending either on its state (half-open, closed, etc) or source or destination.There are following major directions to resolve the issue:
keepstate
statementHowever, all the directions do not contradict each other and may be implemented simultaneously.