Named states in ipfw

[Lev Serebryakov]

Hello Freebsd-ipfw,

 I've tried new build of 12-CURRENT (with new ipfw feature of named states),
with OLD ruleset and I'm disappointed by user experience.

 Old ruleset contains a lot "keep-state" and "check-state" statements and
all this "Ambiguous state names" noise is, really, noise. It looks
ridiculous sometimes:

00000 deny ip from any to any src-ip table(bans) // And it should not be banned
13040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface
13050 nat 2 ip from any to any // De-NAT
Line 155: Ambiguous state name '//', 'default' used instead.
: No error: 0
00000 check-state default
13070 skipto 30000 ip from any to any // Allowed local services - common block

 What does this error about "//" means? Previous and next rules doesn't
contain state-related tokens. Looks like, errors are out-of-sync from
commands, and all this ": No error: 0" -- WTF? Also, all this "default" in
"ipfw show" output is just noise, when here are ONLY default state.

 Now I think that this syntax of named rules is not good enough to work with
old rulesets. I think, something like

  keep-state(name)

or

  keep-state :name

 could be much better. In first case, all this '(name)' part must be
optional, of course.

 A ton of useless errors (warnings?) in case of "old-style" ruleset looks
very ugly, IMHO.

-- 
Best regards,
 Lev                          mailto:lev at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 960 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20160814/4a5fec24/attachment.sig>