From owner-freebsd-ipfw@freebsd.org  Mon May 30 04:58:57 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D0CDB51CAD
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Mon, 30 May 2016 04:58:57 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D6FAF1B0D;
 Mon, 30 May 2016 04:58:56 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local
 (ppp121-45-225-151.lns20.per1.internode.on.net [121.45.225.151])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u4U4wk1u027617
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Sun, 29 May 2016 21:58:51 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Subject: Re: [RFC] ipfw named states support
To: Dmitry Selivanov <sd@rlan.ru>, "Andrey V. Elsukov" <ae@FreeBSD.org>,
 freebsd-ipfw <freebsd-ipfw@freebsd.org>
References: <573C803E.5020600@FreeBSD.org>
 <cf7c98e0-843d-dbec-2f00-836c4ee41f66@rlan.ru>
From: Julian Elischer <julian@freebsd.org>
Message-ID: <c010f18f-ae55-7f28-442e-5923d240aa9c@freebsd.org>
Date: Mon, 30 May 2016 12:58:40 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <cf7c98e0-843d-dbec-2f00-836c4ee41f66@rlan.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2016 04:58:57 -0000

On 26/05/2016 6:11 PM, Dmitry Selivanov wrote:
> 18.05.2016 17:46, Andrey V. Elsukov пишет:
>> We have the patch that adds named states support to ipfw.
>> The idea is that we add a symbolic name-label to each dynamic state in
>> addition to IP addresses, protocol and ports.
>> This introduces new syntax for check-state and keep-state rules:
>>
>>   check-state { token | default | any }
>>   keep-state { token | default }
>
>> 1. Is this feature useful?
> Yes.
>> 2. How to commit it? Due to changed syntax it can break existing
>> rulesets. Probably, we can add some mandatory prefix to state name, 
>> e.g.
>> ':'.
> Maybe create new opcode, e.g. "save-state", and deprecate 
> "keep-state" with "save-state default".
> I'm sorry I didn't understand what Lev Serebryakov suggests, and I 
> could duplicate his suggestion.
I have already hoped for  a different version of keep-state, that 
saves the state without actually acting upon it.
>
> Maybe there is a sense to add "search-state" option and use it 
> instead of "check-state" action. E.g. "allow dst-port 80 
> search-state NAME".
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>