IPFW: more "orthogonal? state operations, push into 11?
Julian Elischer
julian at freebsd.org
Thu Aug 4 03:58:28 UTC 2016
So while thinking about states etc, it occured to me, what does THIS
do on subsequent packets in the session?
10 skipto tablearg tcp from table(3) to me keep-state
On 4/08/2016 11:42 AM, Julian Elischer wrote:
> On 4/08/2016 3:08 AM, Andrey V. Elsukov wrote:
>> On 03.08.16 22:07, Lev Serebryakov wrote:
>>> On 03.08.2016 21:03, Andrey V. Elsukov wrote:
>>>
>>>>> 1/ ability to use keep-state without an implicit check-state.
>>>>> <--- most
>>>>> important for me. (store-state)?
>>>>> 2/ ability to keep-state without actually doing it <---- less
>>>>> important
>>>>> for me.
>>>> So, if there are nobody against, I plan to commit this part in a
>>>> several
>>>> days.
>>> Which implementation? Just curious, I could live with any, really.
>> This one
>> https://people.freebsd.org/~ae/ipfw.diff
>>
>> but with separate opcodes, I have come to the opinion, that this will
>> be more readable.
>>
> so, reading it. it appears that teh record-state saves a rule as a
> target but doesn't actually perform the rule, right?
>
> that needs to be made more clear in the man page
>
> you say " Instead, the firewall creates a dynamic rule and the
> search continues with the next rule."
>
> so it's a combination of #1 and #2 in my list. I think I originally
> thought of having just #1.
>
> A combination is less useful for me as you need to do:
>
> 20 skipto 400 tcp from table(2) to me setup record-state
>
> 21 skipto 400 tcp from table(2) to me setup
>
> to make the entire session do the same thing.
>
>
>
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list