From owner-freebsd-ipfw@freebsd.org Thu Jun 9 21:11:12 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 248C5B70C6A for ; Thu, 9 Jun 2016 21:11:12 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id A60441797; Thu, 9 Jun 2016 21:11:11 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [192.168.1.107] (host81-147-143-168.range81-147.btcentralplus.com [81.147.143.168]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id DDA5B560; Fri, 10 Jun 2016 00:11:07 +0300 (MSK) Message-ID: <5759DB79.10205@FreeBSD.org> Date: Fri, 10 Jun 2016 00:11:21 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: "Andrey V. Elsukov" , freebsd-ipfw@freebsd.org CC: "Alexander V. Chernikov" , Julian Elischer Subject: Re: IPFW: more "orthogonal? state operations, push into 11? References: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org> <5755F0D3.9060909@FreeBSD.org> In-Reply-To: <5755F0D3.9060909@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2016 21:11:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 07.06.2016 00:53, Andrey V. Elsukov wrote: > looking at provided description and examples, seems the main task > you want to solve is problem with NAT. But from my point of view, > you are trying to solve it in a easy way wrongly using existing > methods. It is was initial driver for this patch, yes, but, please, read subject (? is mistype, of course, it is closing "). Current set of primitives, dealing with state, is terribly wrong, IMHO. "keep-state" which trigger (any!) state check alone is awuful, and complete "keep-state / check-state" pair is ugly hack. It is like CISC vs RISC, actually. New primitives are ORTHOGONAL. Each one solves one and only one well-defined task, state creation, state checking and command execution are well-separated. IMHO, "keep-state" in it current form should be killed with fire. Yes, I understand about backward compatibility and POLA, so I don't propose to really remove it, but, IMHO, new set is much, much better. > As you described in patch to ipfw(8) "Problem is, you need to > create dynamic rule before NAT and check it after NAT actions (or > vice versa) to have consistent addresses and ports." It is only very rudimentary example to show the point of new primitives. All meaningful examples require big and complex rulesets, really. > In terms of ipfw(4) a state is represented by ipfw_flow_id > structure. To solve your task you just needs two states - one for > not translated flow and second - for translated. For what?! Logically it is one flow. NAT is kludge itself, of course, but, IMHO, logically it doesn't create new flow, or connection, whatever your name it. It hacks existing one. > Due to limits of implementation this looks impossible to solve. But > proposed patch with deferred action looks too hackish to me. IMHO, it untangles current very sad situation. > With the following patch you will be able create two different > states, I think, and solve your task with NAT and dynamic rules: > https://reviews.freebsd.org/D6674 Named states are great and very useful by themselves, but how this solve problem, that "keep-state" implies "check-state" rule, for example ? I seen a thousand posts, messages and how-tos about stateful IPFW and all of them suffer from this "keep-state is check-state" problem, really, when you try to structure your firewall in "ingress / egress" per-interface sections and not one small ruleset for one interface. - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJXWdt4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePQ+kP/jTUZQ/W2srUhiRCkTzDsGpy dbODp6utMjQGwtZKgPRVN4+0KuchgJInA6odB/34WKfgW5THpevLkh5do8QGvm+5 /8DcYZOYwCk45TRkjhctBH6u2t0v3TPvjd1pPkknmhd3qE9Zzkk2fi+0iUWBavMH LvLJ+afUlmw8l95Om8g4Per3C7TEWmxXews3k+vg1xgrTtPn6m1Vcwspp7gHe2Zo OIGTzDl0S95SUofQuQX3vD7gPqm6YTnRVhtHrb36saVpP2HCv6e+7vOkyfiTV4nd Mchu3T6e9zJ2cmWBRIE9d/wB18LRVjWE+pvosTf6EEIkRJnUUnCZF19EJj8BS+9X 7+zbPnVeUSo17YdxSTcDXL0cBuzRIsz50V2Q6bFgl313PB9u97a4FeLdNmqEZfnN jEgeonc8loN6Fw/Mgjdn2wjmAhZaWU+zCpozzDPcjevkl9NIVVkMys4iZUUCdRkG yGQtU18X3hHwrbM4uJs7K9JLJj1HHEgpT9mnZ3qxCQ1YKEWZ0plgPvXoFWOiYYIB Ecz19D/kLBad3gVZ0X9NZwqA2XM23UmfMiKqd0ZcoOPiMY1WY35PQWOocOhiCIW4 mhcEwp9ZR2mV7OZEO1ObLiK1Jo/q0xNn2eV9UgSrYJGSjOSLPj+9rC2zOjBbO1EO o1H+cNxLn5zMM4sybo9X =WZgr -----END PGP SIGNATURE-----