From owner-freebsd-ipfw@freebsd.org Mon May 30 04:56:54 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19730B51B84 for ; Mon, 30 May 2016 04:56:54 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E4A631A7E for ; Mon, 30 May 2016 04:56:53 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-225-151.lns20.per1.internode.on.net [121.45.225.151]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u4U4umEx027609 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 29 May 2016 21:56:51 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: [RFC] ipfw named states support To: freebsd-ipfw@freebsd.org References: <573C803E.5020600@FreeBSD.org> From: Julian Elischer Message-ID: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> Date: Mon, 30 May 2016 12:56:42 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <573C803E.5020600@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2016 04:56:54 -0000 On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: > Hi All, > > We have the patch that adds named states support to ipfw. like it and have wished for this for along time this allows per-interface state. Can state name be set to a variable we can set or something? then we could have subroutines that can be used for multiple interfaces. (I guess we need variables first) > This expands flexibility and functionality. > Imagine the situation: > > [ LAN1 ] <---> [ FW ] <---> [ LAN2 ] > > add skipto 10000 ip from any to any via lan1 > add skipto 20000 ip from any to any via lan2 > add deny ip from any to any > add 10000 count ip from any to any > ... > add allow ip from to any keep-state in > add deny ip from any to any > add 20000 count ip from any to any > ... > add allow ip from to any keep-state in > add deny ip from any to any > > The problem is that a state created by first keep-state rule will act on > second keep-state rule and allow traffic to go into (out from router's > point of view) lan2 without any rules actually allowing that. > > With named states we can create separate states for each interface and > they will not match when we don't want this. what does the ipfw -d list output look like? > What I want to discuss > ---------------------- > > 1. Is this feature useful? > 2. How to commit it? Due to changed syntax it can break existing > rulesets. Probably, we can add some mandatory prefix to state name, e.g. > ':'. >