Date: Tue, 2 Jun 2015 22:39:40 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Lev Serebryakov <lev@freebsd.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: Please, review my change to ipfw, I want to commit it :) Message-ID: <20150602214303.V91076@sola.nimnet.asn.au> In-Reply-To: <556C6CBB.5010803@FreeBSD.org> References: <556C6CBB.5010803@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote: > https://reviews.freebsd.org/D1776 > > It was discussed in this list some time ago, but looks like > everything stuck. > > Any comments/objections? > > This patch works on my router since first patch version without > problems and allows me to greatly simplify my firewall. I just glanced over the code for rough gist, looking for intent rather than correctness - which I would miss. I also reviewed your earlier posts about this, and think I'm almost starting to get it .. First, it seems this code won't hurt anyone who doesn't know about it :) and so could probably be MFC'd before too long without likely damage. Second, thanks Julian for language patches, it's helped me follow it. It would be nice if skip-immediate-action could be shortened, especially where printed by ip_fw2.c .. skip-action may be enough? defer-action? But mainly, I think this needs some practical, not too complex examples that clearly show just how these can work with various flows, perhaps a section for ipfw(8) EXAMPLES? E.g, some rule sections dealing with NAT states vs IPFW dynamic states that show how to deal with the very issues and twisty constructs needed without these, that you pointed out earlier, could be really helpful. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150602214303.V91076>