IPFW: more "orthogonal? state operations, push into 11?
Jan Bramkamp
crest at rlwinm.de
Thu Aug 4 16:33:55 UTC 2016
On 04/08/16 18:12, Julian Elischer wrote:
> On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote:
>> On 04.08.16 06:42, Julian Elischer wrote:
>>> so it's a combination of #1 and #2 in my list. I think I originally
>>> thought of having just #1.
>>>
>>> A combination is less useful for me as you need to do:
>>>
>>> 20 skipto 400 tcp from table(2) to me setup record-state
>>> 21 skipto 400 tcp from table(2) to me setup
>>> to make the entire session do the same thing.
>> So, in your example what wrong with just using keep-state?
>> "record-state without immediate action" == "keep-state without implicit
>> check-state" needed to solve issues with NAT or something similar, that
>> was described by Lev.
>>
> because keep-state is a check-state for ALL packets going past,
> regardless of whether they match the pattern.
>
> at least that's what I have observed.
According to the documentation and my experience it is. As a workaround
i use skipto $stateful + record-state. That way each stateful match
continues processing at $stateful. Whilte it works it's hard to
understand when combined with in-kernel NAT, because you end up with
asymmetric paths through the ruleset for incoming and outgoing packets.
More information about the freebsd-ipfw
mailing list