From owner-freebsd-ipfw@FreeBSD.ORG  Wed Feb  4 15:13:01 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D1447A30
 for <freebsd-ipfw@freebsd.org>; Wed,  4 Feb 2015 15:13:01 +0000 (UTC)
Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com
 [209.85.223.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9C51C5E2
 for <freebsd-ipfw@freebsd.org>; Wed,  4 Feb 2015 15:13:00 +0000 (UTC)
Received: by mail-ie0-f182.google.com with SMTP id ar1so2598200iec.13
 for <freebsd-ipfw@freebsd.org>; Wed, 04 Feb 2015 07:13:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=wq+WmeVC8kqevs+OAcWrV5NoyrhxlcZqcmHsmlqi9iA=;
 b=KYsGHveyu8NQLHjsqrFFGb1NQVPE+yA+VenPLKcCU3xzgWMf9i/73WDvHNcMUwyPwV
 jPABlh4gRaLhQ13L2LShQyFeb92PP7MdabAQ1PMqjuDbo9BsJNss7e5VTRj6YNznpb2l
 yHT7oQfHMlwWtAzNwLxkE423d/i5XBTxD+BS3unOIXCHbK70N5d6Rola2Cq1bCCxM8LQ
 XnVCZcBU2O/J/rYSBC3iTgIp1SOuEBaKp7g0KlNIBWMygXAdmkmJPkCsYO242lp9XhTJ
 NSKrw4JJrAscy42Joi+sTLXsPu2AhvYLmMaDiAgGiGdwBuh1oXQgDoZSF5vvQoKRibra
 4xsg==
X-Gm-Message-State: ALoCoQl4wAbINPlzXr/MoXPIp4XUxi1U/fagY8a/PtWH2BMG3cVr8O/90tUBbeNyAfgIeTuSUDjV
MIME-Version: 1.0
X-Received: by 10.42.199.211 with SMTP id et19mr2268601icb.9.1423062780348;
 Wed, 04 Feb 2015 07:13:00 -0800 (PST)
Received: by 10.36.68.138 with HTTP; Wed, 4 Feb 2015 07:13:00 -0800 (PST)
X-Originating-IP: [2001:470:8747:1705:f8f1:55e8:121e:8fd1]
In-Reply-To: <54D21ADD.2090209@FreeBSD.org>
References: <54CFCD45.9070304@FreeBSD.org>
 <20150203205715.A38620@sola.nimnet.asn.au>
 <54D0A1AA.4080402@FreeBSD.org> <54D1AA60.4030907@freebsd.org>
 <54D1E4D4.10106@FreeBSD.org> <54D1FE72.1020508@freebsd.org>
 <20150204231922.X38620@sola.nimnet.asn.au>
 <54D2188D.5080800@FreeBSD.org> <54D21ADD.2090209@FreeBSD.org>
Date: Wed, 4 Feb 2015 08:13:00 -0700
Message-ID: <CAF0mCGCiW7hTTx37PrAS3xXCGU3hyPzB1GLi6M6uCZhTtV-crw@mail.gmail.com>
Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny
From: Jason Lewis <me@sharktooth.org>
To: lev@freebsd.org
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-ipfw@freebsd.org, Julian Elischer <julian@freebsd.org>,
 Ian Smith <smithi@nimnet.asn.au>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 15:13:01 -0000

The possible issue is is that once NAT changes the IP address and
possibly the port number, state tracking can no longer be applied.
AKA, the packet headers before the NAT is different than the packet
headers after.  This is why NAT needs to track the state instead of
ipfw.