IPFW: more "orthogonal? state operations, push into 11?
Julian Elischer
julian at freebsd.org
Thu Aug 4 16:12:49 UTC 2016
On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote:
> On 04.08.16 06:42, Julian Elischer wrote:
>> so it's a combination of #1 and #2 in my list. I think I originally
>> thought of having just #1.
>>
>> A combination is less useful for me as you need to do:
>>
>> 20 skipto 400 tcp from table(2) to me setup record-state
>> 21 skipto 400 tcp from table(2) to me setup
>> to make the entire session do the same thing.
> So, in your example what wrong with just using keep-state?
> "record-state without immediate action" == "keep-state without implicit
> check-state" needed to solve issues with NAT or something similar, that
> was described by Lev.
>
because keep-state is a check-state for ALL packets going past,
regardless of whether they match the pattern.
at least that's what I have observed.
More information about the freebsd-ipfw
mailing list