IPFW: more "orthogonal? state operations, push into 11?
Julian Elischer
julian at freebsd.org
Thu Aug 4 03:42:59 UTC 2016
On 4/08/2016 3:08 AM, Andrey V. Elsukov wrote:
> On 03.08.16 22:07, Lev Serebryakov wrote:
>> On 03.08.2016 21:03, Andrey V. Elsukov wrote:
>>
>>>> 1/ ability to use keep-state without an implicit check-state. <--- most
>>>> important for me. (store-state)?
>>>> 2/ ability to keep-state without actually doing it <---- less important
>>>> for me.
>>> So, if there are nobody against, I plan to commit this part in a several
>>> days.
>> Which implementation? Just curious, I could live with any, really.
> This one
> https://people.freebsd.org/~ae/ipfw.diff
>
> but with separate opcodes, I have come to the opinion, that this will
> be more readable.
>
so, reading it. it appears that teh record-state saves a rule as a
target but doesn't actually perform the rule, right?
that needs to be made more clear in the man page
you say " Instead, the firewall creates a dynamic rule and the search
continues with the next rule."
so it's a combination of #1 and #2 in my list. I think I originally
thought of having just #1.
A combination is less useful for me as you need to do:
20 skipto 400 tcp from table(2) to me setup record-state
21 skipto 400 tcp from table(2) to me setup
to make the entire session do the same thing.
More information about the freebsd-ipfw
mailing list