Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Jun 2016 00:53:23 +0300
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        lev@FreeBSD.org, freebsd-ipfw@freebsd.org
Cc:        "Alexander V. Chernikov" <melifaro@FreeBSD.org>, Julian Elischer <julian@freebsd.org>
Subject:   Re: IPFW: more "orthogonal? state operations, push into 11?
Message-ID:  <5755F0D3.9060909@FreeBSD.org>
In-Reply-To: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org>
References:  <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF
Content-Type: multipart/mixed; boundary="5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0"
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: lev@FreeBSD.org, freebsd-ipfw@freebsd.org
Cc: "Alexander V. Chernikov" <melifaro@FreeBSD.org>,
 Julian Elischer <julian@freebsd.org>
Message-ID: <5755F0D3.9060909@FreeBSD.org>
Subject: Re: IPFW: more "orthogonal? state operations, push into 11?
References: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org>
In-Reply-To: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org>

--5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 06.06.16 22:41, Lev Serebryakov wrote:
>=20
>  I still hope to see https://reviews.freebsd.org/D1776 committed before=

> 11-RELEASE.
>=20
>  It seems to me, that I does everything what was requested by reviewers=
=2E

Hi Lev,

looking at provided description and examples, seems the main task you
want to solve is problem with NAT. But from my point of view, you are
trying to solve it in a easy way wrongly using existing methods.

As you described in patch to ipfw(8) "Problem is, you need to create
dynamic rule before NAT and check it after NAT actions (or vice versa)
to have consistent addresses and ports."

In terms of ipfw(4) a state is represented by ipfw_flow_id structure.
To solve your task you just needs two states - one for not translated
flow and second - for translated. Due to limits of implementation this
looks impossible to solve. But proposed patch with deferred action looks
too hackish to me.

With the following patch you will be able create two different states, I
think, and solve your task with NAT and dynamic rules:
  https://reviews.freebsd.org/D6674

--=20
WBR, Andrey V. Elsukov


--5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0--

--4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXVfDYAAoJEAHF6gQQyKF6kzgH/06yoTWC0u145SmEjid96p9h
j8l4M/qdvbekRVC5oHg1KjVpyCzDaZRYrvyXf5Sb3yK4EfUkbVBg33YkjlyYkY9Z
o0antWtpmWOnM2+HRZt8NsVm2ofCZ+mH6paSmDWKd2+cDnBT1MSRpPTN0YYIRYhI
+lDmSSESNIjdSizyYw6i5BBsjYbzeiFgfYVpoYK8UZS5NS2DnlFhdU4r2Jfmfqp1
1sTrqoW/iBt/4klSXoIaEk+LdG4KDUZ5A8kwrQpmLskfQ04e5xna+Ks+tu/NTHR5
eg8J2Lhi0pkXch7JcdVLx07Z/ei29rkCU2UgjvevQNZdzvoGKVonzy12+1fhiR0=
=bO4z
-----END PGP SIGNATURE-----

--4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5755F0D3.9060909>