Date: Sun, 16 Jun 2019 22:06:40 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Peter <pmc@citylink.dinoex.sub.org>, freebsd-ipfw@freebsd.org Subject: Re: ipfw: switching sets does stall the machine Message-ID: <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> In-Reply-To: <20190614201317.GA8840@gate.oper.dinoex.org> References: <20190614153302.GA4503@gate.oper.dinoex.org> <20190614172018.GJ1219@albert.catwhisker.org> <20190614201317.GA8840@gate.oper.dinoex.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM Content-Type: multipart/mixed; boundary="Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Peter <pmc@citylink.dinoex.sub.org>, freebsd-ipfw@freebsd.org Message-ID: <083acaaf-6262-f582-11ad-71623a88786b@yandex.ru> Subject: Re: ipfw: switching sets does stall the machine References: <20190614153302.GA4503@gate.oper.dinoex.org> <20190614172018.GJ1219@albert.catwhisker.org> <20190614201317.GA8840@gate.oper.dinoex.org> In-Reply-To: <20190614201317.GA8840@gate.oper.dinoex.org> --Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 14.06.2019 23:13, Peter wrote: > 2. There are dynamic rules involved. These do not disappear on a > "set disable". They stay and continue to function - somehow. > > 3. When a packet successfully matches a check-state, it does NOT > continue to be processed at the rule following that check-state. > Instead, it does continue to be processed at the place after > the parent keep-state rule that was originally matched! >=20 > But what if that keep-state rule is now disabled, and the new > rules do not line up in their numbering in the exact same way? > Then this packet appears at some arbitrary place in the rule > list and may go to whereever. Dynamic rules use only "action" part of parent rule, so when dynamic state is "applied" to a packet, it just executes action of parent rule without checking the set to which belongs the rule. But then, if a packet processing is continued, the next rule checked from the beginning, and thus its set is checked. > Obviousely this is not an issue if you do keep-state with simple > Allow or Deny rules - then the packets leave the system after > matching. > But such simple keep-state do not work with NAT. For NAT one needs > a more elaborate approach, like tagging and branching and > subroutine calling. > =20 > So the outcome is:=20 > =20 > When switching sets with such a configuration that introduces > branches and subroutines, the old and new rules need to precisely > line up to each other, so that the old dynamic rules (which should > be kept for the network sessions to persist) can reinsert their > matched packets at places where correct further processing happens. >=20 > Doesn't seem like an easy task... You may try 11.3-BETA where new implementation of dyn_keep_states was committed. When you set net.inet.ip.fw.dyn_keep_states=3D1, the dynamic states aren't deleted with their parents rules. They are kept until expiring or explicit deletion (with -D flag). But the next rule for states that don't stop packet processing is the last rule. This is probably will not fit your requirements. --=20 WBR, Andrey V. Elsukov --Y4Pw7DtZV0Y1RDOhmXYHikMBGmYlHg1K5-- --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0Gk0UACgkQAcXqBBDI oXqSHQgAlAo/VOGNIFN746D/jdBgsoKPHpfvN6V4ICtXsHaqgs3StKZLAJTcWWJt VUMRpgFs5hahdnn/VzASxIWQICmJCBL7wYm7ZITb9A+c1Uj8oPbykv+CENDNbAGX +AM57VY38AEyeca7IgryCTC1+H0AuNS5b9VQ++aWuvFpAFGm5EaJfcxuCK5cx7hw 4+CXx90MhA0Lt68MIR4bRhfz2SDj7Fr9pBVxran5lVFY3OV/78wnNRdbXmqvpmb/ bJad20SN+hKAywDpGMNdUd5Ugd9XcPL++nFwhDsI654X0VLg2TYcV7qwj5GVexQN DWhcV6wiQfYDaH3FNufQcYwknig5eg== =D+Sw -----END PGP SIGNATURE----- --HSv7hwntSvzXBlssvXxVb2TjLONopPRZM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?083acaaf-6262-f582-11ad-71623a88786b>