Date: Wed, 04 Feb 2015 13:29:26 +0800 From: Julian Elischer <julian@freebsd.org> To: lev@FreeBSD.org, freebsd-ipfw <freebsd-ipfw@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Cc: melifaro@FreeBSD.org Subject: Re: [RFC][patch] New "keep-state-only" option (version 2) Message-ID: <54D1AE36.8090504@freebsd.org> In-Reply-To: <54D0FD9B.5000108@FreeBSD.org> References: <54D0F39B.4070707@FreeBSD.org> <54D0FD9B.5000108@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/4/15 12:55 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 03.02.2015 19:13, Lev Serebryakov wrote: > >> Ok, "allow-state"/"deny-state" was very limited idea. Here is more >> universal mechanism: new "keep-state-only" (aliased as >> "record-only") option, which works exactly as "keep-state" BUT >> cancel match of rule after state creation. It allows to write >> stateful + nat firewall as easy as: > To work as expected, "keep-state-only" should not imply "check-state" > in opposite to "keep-state". agreed.. I hate the implied check-state.. man page must be very explicit about this..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D1AE36.8090504>