From owner-freebsd-ipfw@FreeBSD.ORG  Tue Jun  2 13:03:57 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9D54DB42;
 Tue,  2 Jun 2015 13:03:57 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5D95F1089;
 Tue,  2 Jun 2015 13:03:55 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t52CdeQJ008209;
 Tue, 2 Jun 2015 22:39:40 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Tue, 2 Jun 2015 22:39:40 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Lev Serebryakov <lev@freebsd.org>
cc: freebsd-ipfw@freebsd.org
Subject: Re: Please, review my change to ipfw, I want to commit it :)
In-Reply-To: <556C6CBB.5010803@FreeBSD.org>
Message-ID: <20150602214303.V91076@sola.nimnet.asn.au>
References: <556C6CBB.5010803@FreeBSD.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 13:03:57 -0000

On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote:

 >  https://reviews.freebsd.org/D1776
 > 
 >  It was discussed in this list some time ago, but looks like
 > everything stuck.
 > 
 >  Any comments/objections?
 > 
 >  This patch works on my router since first patch version without
 > problems and allows me to greatly simplify my firewall.

I just glanced over the code for rough gist, looking for intent rather 
than correctness - which I would miss.  I also reviewed your earlier 
posts about this, and think I'm almost starting to get it ..

First, it seems this code won't hurt anyone who doesn't know about it :)
and so could probably be MFC'd before too long without likely damage.

Second, thanks Julian for language patches, it's helped me follow it.

It would be nice if skip-immediate-action could be shortened, especially 
where printed by ip_fw2.c .. skip-action may be enough?  defer-action?

But mainly, I think this needs some practical, not too complex examples 
that clearly show just how these can work with various flows, perhaps a 
section for ipfw(8) EXAMPLES?

E.g, some rule sections dealing with NAT states vs IPFW dynamic states 
that show how to deal with the very issues and twisty constructs needed 
without these, that you pointed out earlier, could be really helpful.

cheers, Ian