From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 10:08:36 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B412E81; Wed, 4 Feb 2015 10:08:36 +0000 (UTC) Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 580D3A5B; Wed, 4 Feb 2015 10:08:36 +0000 (UTC) Received: by mail-pa0-f49.google.com with SMTP id fa1so1659010pad.8; Wed, 04 Feb 2015 02:08:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ls3x6uuXzu51t1mo8ymC5rDgGCaSm27DQYaUwMuc0qY=; b=yBQ+P94u7cgxtg7tS2NUR/t2ZaekS9joulKZkEdssGIocM3FMjQAbsNENFq2xbJa+4 jqN/JoPAKy+gPDU/z6b2HS+RG6wD9hJegJL+INNP/oMwLcbj00I/WvywmhocZMFS0PNs f/C9KjwWVRznDFMLhqJCmtZnyrSw44gXE0jl7uLEgCk1c+nsra74ZFzW6GJQZm/OY6iw +N+vfxisN2iJKmU2zht40NZVjbfYvjvx17MP3uvM/qzIXnYudOsfeWyGF1fOBfjp+6Mq dZSbCLXj8I0mx+KIpwbQgt7j45/0GO8IbRwu80gMq5tou3XUDVBJdYRJsTWCmU1HuDVD oUiQ== MIME-Version: 1.0 X-Received: by 10.68.197.72 with SMTP id is8mr14085918pbc.17.1423044515941; Wed, 04 Feb 2015 02:08:35 -0800 (PST) Received: by 10.70.45.228 with HTTP; Wed, 4 Feb 2015 02:08:35 -0800 (PST) In-Reply-To: <54D1E558.1010700@FreeBSD.org> References: <54D0F39B.4070707@FreeBSD.org> <54D0FD9B.5000108@FreeBSD.org> <54D1E558.1010700@FreeBSD.org> Date: Wed, 4 Feb 2015 18:08:35 +0800 Message-ID: Subject: Re: [RFC][patch] New "keep-state-only" option (version 3) From: bycn82 To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ipfw , "Alexander V. Chernikov" , Julian Elischer , freebsd-net X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2015 10:08:36 -0000 *Cool, But maybe not all people are following this topic, so can you please simplify it by answering below question in order to allow more people to know what is going on here.* *What kind of problem you are facing and how does your patch resolve it?* On 4 February 2015 at 17:24, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 03.02.2015 19:55, Lev Serebryakov wrote: > > >> Ok, "allow-state"/"deny-state" was very limited idea. Here is > >> more universal mechanism: new "keep-state-only" (aliased as > >> "record-only") option, which works exactly as "keep-state" BUT > >> cancel match of rule after state creation. It allows to write > >> stateful + nat firewall as easy as: > > To work as expected, "keep-state-only" should not imply > > "check-state" in opposite to "keep-state". > Re-installation of state (with second, third, etc... packet of > connection) should update TCP state of state (sorry!), or it will die > in 10 seconds. > This version seems to be final (apart from name of new option!). > It works perfectly on my router with 2 uplink ISPs. > > - -- > // Lev Serebryakov AKA Black Lion > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQJ8BAEBCgBmBQJU0eVYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF > QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePOD0P/RwpwF9yMUjyAj/KZnphr/0Y > aXHM040qIocIUqnxH7T/vwdhm2w3Zciry8hwXp9f+r2bTIe8+tTn8OwaJ0M/Wp1j > QBPxW+rjw49hy3rf2eIQbgX7nTwdIZo7YDnT82Kqtje1mImTBR4qdFcSStJac4hE > dJsbpzC6raHUuE8h5V5pWPV/m/OQebK3P5CZzBKKpVTMCX3nVsTnff9qf9L1A0Jd > q4KYfOv+NJBaB8G6vJhDHjcqtzGfEJBmYL8kOAslYhlUuyYe+iAhyGFbcUBsXwk8 > /dqBalUL2iewFaZppszYZ0rTpVOfA4fOV0ECbVmpcw36uocrC2iOEpBl0WRIy+TM > HYIMkIeubF9IT24CwMwiriONpppl8MGynCmL9hyMgu+HiuvHZ/C/vYcVV9/DHFGB > iKkNe9QjX34anP6qVvEvHHmuv26PO7eq7hkdK2PZNlA9dwwNHehN8xG3DxB9N8gG > MPRGtM8yH/C/FXpqKmHoqj6shMGQCSfmZKPfJ0D49Rze8tSjo7kZaSmaELJAjmsc > xLv5umEAg7gym54bMhv8As2lXHnyeDp3uJz6glM72cmtBM5/n8N7NLk6Xga+8eM3 > cZ122dgOqzGpts9TqCGWmTRW+f2Y8hLukzIjOLdzlqLPfQmXVn9pOWmqo9OKHdvD > we0uYcnte/iSltopkVuG > =muco > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >