Date: Wed, 24 Oct 2018 21:42:00 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Ole <ole@free.de> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw managing rules - best practice? Message-ID: <6bb037c2-643d-151b-cb34-f78c97f241d4@yandex.ru> In-Reply-To: <20181024182252.49ee516b.ole@free.de> References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> <20181023131220.20c700ba.ole@free.de> <20181024182252.49ee516b.ole@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xTkE80mW3ce0SYYNyUoFX9oEw4CeS3ICF Content-Type: multipart/mixed; boundary="LBxTwxfGlYY1I14vTXF3iQdZhxqGK7ymm"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Ole <ole@free.de> Cc: freebsd-ipfw@freebsd.org Message-ID: <6bb037c2-643d-151b-cb34-f78c97f241d4@yandex.ru> Subject: Re: ipfw managing rules - best practice? References: <20180905112847.54287198.ole@free.de> <67544958-07fe-7ff4-b5d2-88bf85324061@yandex.ru> <20181023131220.20c700ba.ole@free.de> <20181024182252.49ee516b.ole@free.de> In-Reply-To: <20181024182252.49ee516b.ole@free.de> --LBxTwxfGlYY1I14vTXF3iQdZhxqGK7ymm Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 24.10.2018 19:22, Ole wrote: > # ipfw -d list=20 > (...) > 01510 allow tcp from any to xx.xx.xx.xx 6514 out via epair0b setup keep= -state :default > (...) > ## Dynamic rules (1 152): > 01510 STATE tcp yy.yy.yy.yy 54451 <-> xx.xx.xx.xx 6514 :default >=20 > # ipfw -q flush >=20 > # ipfw -d list > 65535 allow ip from any to any > ## Dynamic rules (2 288): > Segmentation fault (core dumped) This problem is related to named states, the kernel doesn't dump list of known states names, and this is the cause of SIGSEGV. I have the WIP patch https://people.freebsd.org/~ae/keep_states.diff It fixes this problem and also add support for all rule actions. Also it adds new -D flag, that allows to show only states and delete only states. I have tested it basically, but it probably needs some work related to "limit" dynamic states. So if you want to test some patches, you can try :) I tried to apply the patch and observed that stable/11 has a small difference in UMA code, so you need to use this patch: https://people.freebsd.org/~ae/keep_states11.diff Again, I did not yet teseted it widely, and on stable/11 did not tested at all. --=20 WBR, Andrey V. Elsukov --LBxTwxfGlYY1I14vTXF3iQdZhxqGK7ymm-- --xTkE80mW3ce0SYYNyUoFX9oEw4CeS3ICF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlvQvPgACgkQAcXqBBDI oXo2AQgAkpx86MReoTBlhDctC9KtqKZs2wQlQFZtL/IfGvbj/ZAv0oX2c4UADCJz 3I2OKQC9Lziem4MimZrsEjgbLpPbQ5H0EU5O1vJ0tsKJfRq14VeaHYEHTKPpUzjn WGrsWxd5luWov6VIPf60QUJnkdJk+7Q6mefao7M1OueD3ipnVMA8u6/YbPPf/nWc TKVnvxURftX547KhWR5zQ2WE5OO2ADyoWxjnP4qFrtkodO77w3yWtjqqCQpWBPhl jklxyooWbH/m+Hs7whp7URNweJCUDco+9X4oE7NG3VAWWZb/7GATrKdOaAgtBzXp 9HSB8AO+ExI5LGTPG0g8epujAc3lzg== =aHFV -----END PGP SIGNATURE----- --xTkE80mW3ce0SYYNyUoFX9oEw4CeS3ICF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6bb037c2-643d-151b-cb34-f78c97f241d4>