Date: Mon, 30 May 2016 17:33:17 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Julian Elischer <julian@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: [RFC] ipfw named states support Message-ID: <574C4F2D.6000304@yandex.ru> In-Reply-To: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> References: <573C803E.5020600@FreeBSD.org> <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP Content-Type: multipart/mixed; boundary="6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Julian Elischer <julian@freebsd.org>, freebsd-ipfw@freebsd.org Message-ID: <574C4F2D.6000304@yandex.ru> Subject: Re: [RFC] ipfw named states support References: <573C803E.5020600@FreeBSD.org> <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> In-Reply-To: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> --6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 30.05.16 07:56, Julian Elischer wrote: > On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: >> Hi All, >> >> We have the patch that adds named states support to ipfw. >=20 > like it and have wished for this for along time > this allows per-interface state. Can state name be set to a variable we= > can set or something? > then we could have subroutines that can be used for multiple interfaces= =2E > (I guess we need variables first) You are specifying the name when adding rule. E.g. # ipfw add allow tcp from me to any out igb1 keep-state igb1 # ipfw -d show 100 00100 317 36316 allow tcp from me to any out via igb1 keep-state igb1 ## Dynamic rules: 00100 5 317 (246s) STATE tcp A.B.C.144 21131 <-> C.D.E.93 22 igb1 00100 0 0 (1s) STATE tcp A.B.C.144 22 <-> F.G.35.120 30876 igb1 # ipfw -d show 200 300 00200 440 42779 allow ip from table(1) to me in keep-state SOME_NET 00300 119 17416 allow tcp from me to any out keep-state MY_OUTGOUING ## Dynamic rules (3 424): 00300 4 254 (286s) STATE tcp A.B.C.144 41280 <-> X.Y.178.135 22 MY_OUTGOUING 00300 3 244 (1s) STATE tcp A.B.C.144 22 <-> C.D.E.93 26951 MY_OUTGOUING 00200 343 33995 (286s) STATE tcp F.G.35.120 62486 <-> A.B.C.144 22 SOME_NET >> With named states we can create separate states for each interface and= >> they will not match when we don't want this. > what does the ipfw -d list output look like? The output is the same, just state name is added to the end of line. --=20 WBR, Andrey V. Elsukov --6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0-- --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXTE8tAAoJEAHF6gQQyKF6khsH/2nKb0caQ6kkUiMDhCZDGMac 6cS7pBBEoErGq8LSgZqFFyNSLAveLkhDc51UxHEXYK1eEcw2bO8Mrc+3juQSAGAO KdDZyJpKrogWnN3Alq/VDspnR4TEerv5CSgdyCURxbgRiUp6upkPIaSm8WU/ScYL MVwlYLcSZVDCbxIG9TeFZGNOKVc+P5hltRRVHMYDePQXw2dW/YvaV763cfJ7znE2 3v5Qf+npWq88dYH8B9J+l9sWh75pizEUUARH9dZP1hl29TkK7+aauSkUuaOJVM5B ABs88iD4Dc/fXDVK3uwmvIwjUZ7lcGbHtxR7b5L3LP/mq81/JJXjKfx/vCsvLbU= =e4D3 -----END PGP SIGNATURE----- --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?574C4F2D.6000304>