[RFC][patch] New "keep-state-only" option (version 2)
Julian Elischer
julian at freebsd.org
Wed Feb 4 05:29:36 UTC 2015
On 2/4/15 12:55 AM, Lev Serebryakov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 03.02.2015 19:13, Lev Serebryakov wrote:
>
>> Ok, "allow-state"/"deny-state" was very limited idea. Here is more
>> universal mechanism: new "keep-state-only" (aliased as
>> "record-only") option, which works exactly as "keep-state" BUT
>> cancel match of rule after state creation. It allows to write
>> stateful + nat firewall as easy as:
> To work as expected, "keep-state-only" should not imply "check-state"
> in opposite to "keep-state".
agreed.. I hate the implied check-state..
man page must be very explicit about this..
More information about the freebsd-net
mailing list