From owner-freebsd-ipfw@FreeBSD.ORG  Sat Jun  6 17:01:52 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C094738F;
 Sat,  6 Jun 2015 17:01:52 +0000 (UTC)
 (envelope-from bycn82@gmail.com)
Received: from mail-vn0-x232.google.com (mail-vn0-x232.google.com
 [IPv6:2607:f8b0:400c:c0f::232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 79FB91E66;
 Sat,  6 Jun 2015 17:01:52 +0000 (UTC)
 (envelope-from bycn82@gmail.com)
Received: by vnbf190 with SMTP id f190so12601243vnb.5;
 Sat, 06 Jun 2015 10:01:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=/9Nn1CW4cF0/l42n8AKYm9cgsnig9exHlSh2b37exdQ=;
 b=FCEQN+BCVrcnsrd4QjE6/zSLJRs8jORaIo30YpV8xR91GLInXWkQ+bQAQ1mg/3oxgW
 wRTS4Tvcix8hI20Zxz6rPzXzDPX8O2C0B6AfyQKNwxbFZyqJ+86Bxq/7MWXYZ1C8ezfM
 On+Di4fMnS83QSRfvLgDFaKqC1blYskQ1s+fszFrecJOHjLu4b7jS2iaYbhtRpSpeJog
 uwaKjURLz+k9+Oe3Z/rfHL4AXx6cw1QOPFKbNx+3MsmMv/I7pYrrODjsbm+U+lRsNEHM
 e4x443am67vbdeBj3LKr7BxSxj8Y1TEVIZu66m0GECBzUbngJhu84fqlMOVsXGtV3hhd
 akWA==
MIME-Version: 1.0
X-Received: by 10.52.30.201 with SMTP id u9mr16176563vdh.95.1433610111699;
 Sat, 06 Jun 2015 10:01:51 -0700 (PDT)
Received: by 10.31.174.6 with HTTP; Sat, 6 Jun 2015 10:01:51 -0700 (PDT)
In-Reply-To: <CAC+JH2wGrKYxXcdF4kg7ztQXZ-TgcRHvAPrBy1KP3mP97t1eZw@mail.gmail.com>
References: <556C6CBB.5010803@FreeBSD.org>
 <20150602214303.V91076@sola.nimnet.asn.au>
 <20150606154353.M91076@sola.nimnet.asn.au>
 <CAC+JH2w+Kwom5vpwfjtQzxh_C_tTY6khWHH9ZYfFAJ3Y=Oj5rQ@mail.gmail.com>
 <20150606233816.S91076@sola.nimnet.asn.au>
 <CAC+JH2wGrKYxXcdF4kg7ztQXZ-TgcRHvAPrBy1KP3mP97t1eZw@mail.gmail.com>
Date: Sun, 7 Jun 2015 01:01:51 +0800
Message-ID: <CAC+JH2zoJ_T39_d0YSJrHSgDB_sGziALJ8ximNrS=qpWAs0suQ@mail.gmail.com>
Subject: Re: Please, review my change to ipfw, I want to commit it :)
From: bycn82 <bycn82@gmail.com>
To: Ian Smith <smithi@nimnet.asn.au>
Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>, Lev Serebryakov <lev@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 17:01:52 -0000

hi
correct me if i am wrong.

below is the rule you listed in your email.

add 1000 skipto 2000 all from any to any out xmit outIface
add 1010 skipto 3000 all from any to any in  recv outIface

add 2000 skipto 2010 from any to any keep-state
add 2010 nat NR from any to any out // Note this "out" in out section!
add 2020 allow all from any to any

add 3000 nat NR from any to any
add 3010 check-state // Use dynamic rule based on 2000

so for the our going traffic, it will hit below rules
1000 skipto
2000 skipto and keep-state
2010 nat

return traffic will
1010 skipto
3000 nat

so i dont see any traffic to check-state

and i did not follow up the ipfw in FB for a while, but below is the
rules i test in my dfly environment.

ipfw3 nat 1 config if em0
ipfw3 add 1 check-state
ipfw3 add 2 nat 1 icmp via em0 keep-state
ipfw3 add 3 allow icmp via em1


So actually i still did not get the point :(  i still dont understand
what is "skipto-nat-allow"


On 6 June 2015 at 23:41, bycn82 <bycn82@gmail.com> wrote:
> Hi,
>
> i saw my previous email in this thread,but i think i replied that
> without fully read all the emails.
>
> i like the state-deny and allow,
>
> actually i tried this, in my opinion, the state is a "shortcut" or
> "soft link" which links to another rule
> when the packet match the state. it will directly skip-to the rule.
> and the destination rule can be allow or deny or others.
>
>
>
> Regards,
> Bill Yuan
>
> On 6 June 2015 at 21:48, Ian Smith <smithi@nimnet.asn.au> wrote:
>> On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote:
>>
>>  > *Hello,*
>>  > *Can you please explain what is going one again,*
>>  > *Sorry I did not follow the emails, I am not checking the FB email for a
>>  > while, *
>>  > *I think I missed some emails.*
>>  > *e.g *
>>  > *what is the purpose of the "*skip-immediate-action"
>>  > *Regards,*
>>  > *Bycn82*
>>
>> Hi Bill,
>>
>> please send plain text mail rather than HTML to the lists, thanks.
>>
>> Probably best to start at the several threads from February - some of
>> which you did participate in - from:
>>
>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-February/thread.html
>>
>> and then this thread from here on 1st June:
>>
>> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-June/005872.html
>>
>> which points to the review at:
>>
>> https://reviews.freebsd.org/D1776
>>
>> cheers, Ian
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"