Date: Sun, 14 Aug 2016 20:20:16 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-ipfw@freebsd.org Cc: "Andrey V. Elsukov" <ae@FreeBSD.org> Subject: Named states in ipfw Message-ID: <1812167147.20160814202008@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello Freebsd-ipfw, I've tried new build of 12-CURRENT (with new ipfw feature of named states), with OLD ruleset and I'm disappointed by user experience. Old ruleset contains a lot "keep-state" and "check-state" statements and all this "Ambiguous state names" noise is, really, noise. It looks ridiculous sometimes: 00000 deny ip from any to any src-ip table(bans) // And it should not be banned 13040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface 13050 nat 2 ip from any to any // De-NAT Line 155: Ambiguous state name '//', 'default' used instead. : No error: 0 00000 check-state default 13070 skipto 30000 ip from any to any // Allowed local services - common block What does this error about "//" means? Previous and next rules doesn't contain state-related tokens. Looks like, errors are out-of-sync from commands, and all this ": No error: 0" -- WTF? Also, all this "default" in "ipfw show" output is just noise, when here are ONLY default state. Now I think that this syntax of named rules is not good enough to work with old rulesets. I think, something like keep-state(name) or keep-state :name could be much better. In first case, all this '(name)' part must be optional, of course. A ton of useless errors (warnings?) in case of "old-style" ruleset looks very ugly, IMHO. -- Best regards, Lev mailto:lev@FreeBSD.org [-- Attachment #2 --] -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJXsKhQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePyJgQAJW83YGBuEeCvdnt6EyTKd0a 3yKk7bwOLZnRhILfGMzaCj/KpJ1+WTi0/EUQ70dz6rdY5wUgg/cxsRIeKi+pgnCN vggYjx9I8Rp++Q5Lub/pONlnSf6473BjydGCrxnhrDWwPJB4WirytjOV8yTeIWEt /CXeBEz9VH9yAZ0x5RYhAW7bx83TEhrSLaPbAx1g7POI6nyQRCLT8l5H3kpE2giJ 5+KAB/3peekykzGx1GHOKuBs1EJRdBuGMs9vBJ9jKtIy+GBZxFX4y0IaCZGN83QP xy7mRgxtrpntWZelTHR62hUhm2xBejpyEBFYOOjz9CACSxCebJ/9UQe1PY79IWmf /NcGAE8uH6qncmKPq81Y82+4OiTd7qKg4noSfO2igDg8L/anQRC5nTyPj7jsuHAw mpucAqwrZjegR4NKUVwE7hlOz4BDQx7xJ7zeGCM2xI21T314nhn/H7BuIvai0kiK pYiYvqgIbpUwJPN1a/TZvwBB4xpGzeDHIoUGpihWsU9OyXgmkDL60zitBg+PkUfY xBsOs+EiQmLjzGyyEaNwM4MQy4XECDVt1NoGqCMHkjsCo3C4DBWpQYlnwFis385g Y//8i8fzSBngYmcWfbIXed94Qe7MTeLWJWyHOsv3IGmVMMHrOoINvxyHU6M3nPDH LZZ09iMTXGcPiMWoyxRt =2mqC -----END PGP MESSAGE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1812167147.20160814202008>