Date: Thu, 26 May 2016 13:11:13 +0300 From: Dmitry Selivanov <sd@rlan.ru> To: "Andrey V. Elsukov" <ae@FreeBSD.org>, freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: [RFC] ipfw named states support Message-ID: <cf7c98e0-843d-dbec-2f00-836c4ee41f66@rlan.ru> In-Reply-To: <573C803E.5020600@FreeBSD.org> References: <573C803E.5020600@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
18.05.2016 17:46, Andrey V. Elsukov пишет:
> We have the patch that adds named states support to ipfw.
> The idea is that we add a symbolic name-label to each dynamic state in
> addition to IP addresses, protocol and ports.
> This introduces new syntax for check-state and keep-state rules:
>
> check-state { token | default | any }
> keep-state { token | default }
> 1. Is this feature useful?
Yes.
> 2. How to commit it? Due to changed syntax it can break existing
> rulesets. Probably, we can add some mandatory prefix to state name, e.g.
> ':'.
Maybe create new opcode, e.g. "save-state", and deprecate "keep-state" with "save-state default".
I'm sorry I didn't understand what Lev Serebryakov suggests, and I could duplicate his suggestion.
Maybe there is a sense to add "search-state" option and use it instead of "check-state" action. E.g. "allow dst-port 80 search-state NAME".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cf7c98e0-843d-dbec-2f00-836c4ee41f66>