Date: Mon, 30 May 2016 12:56:42 +0800 From: Julian Elischer <julian@freebsd.org> To: freebsd-ipfw@freebsd.org Subject: Re: [RFC] ipfw named states support Message-ID: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> In-Reply-To: <573C803E.5020600@FreeBSD.org> References: <573C803E.5020600@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: > Hi All, > > We have the patch that adds named states support to ipfw. like it and have wished for this for along time this allows per-interface state. Can state name be set to a variable we can set or something? then we could have subroutines that can be used for multiple interfaces. (I guess we need variables first) > This expands flexibility and functionality. > Imagine the situation: > > [ LAN1 ] <---> [ FW ] <---> [ LAN2 ] > > add skipto 10000 ip from any to any via lan1 > add skipto 20000 ip from any to any via lan2 > add deny ip from any to any > add 10000 count ip from any to any > ... > add allow ip from <lan1 nets here> to any keep-state in > add deny ip from any to any > add 20000 count ip from any to any > ... > add allow ip from <lan2 nets here> to any keep-state in > add deny ip from any to any > > The problem is that a state created by first keep-state rule will act on > second keep-state rule and allow traffic to go into (out from router's > point of view) lan2 without any rules actually allowing that. > > With named states we can create separate states for each interface and > they will not match when we don't want this. what does the ipfw -d list output look like? > What I want to discuss > ---------------------- > > 1. Is this feature useful? > 2. How to commit it? Due to changed syntax it can break existing > rulesets. Probably, we can add some mandatory prefix to state name, e.g. > ':'. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c2d7675-926d-5987-fef7-6e6799a43834>