From owner-freebsd-ipfw@freebsd.org Mon May 30 14:33:54 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F7C1B5450B for ; Mon, 30 May 2016 14:33:54 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3h.cmail.yandex.net (forward3h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B956A1FAE; Mon, 30 May 2016 14:33:53 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp4h.mail.yandex.net (smtp4h.mail.yandex.net [84.201.186.21]) by forward3h.cmail.yandex.net (Yandex) with ESMTP id D817E20C1B; Mon, 30 May 2016 17:33:41 +0300 (MSK) Received: from smtp4h.mail.yandex.net (localhost [127.0.0.1]) by smtp4h.mail.yandex.net (Yandex) with ESMTP id 769D82C034A; Mon, 30 May 2016 17:33:41 +0300 (MSK) Received: by smtp4h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id x7H9IgQDkb-Xe0ml5qw; Mon, 30 May 2016 17:33:40 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1464618820; bh=jiWTTPzp/Dgo6B7E61jWJr3k+0SPojkqm08/C6SxbnU=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type; b=YcFOm1T5LsQbzpCz3WKTjqDARrUxQHB3UduFKtqlRQS3x0koZ7q5yVecsDuBAsf6z xMexTJgFHvIwIr/peZde2cl93+GoewjkGQgRPZxwM/opr/+giYmxLOZ965Q2wfFojR pzn5azTLeDlLNUCZRztRTgVUgl24I2j41l0dPZec= Authentication-Results: smtp4h.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: [RFC] ipfw named states support To: Julian Elischer , freebsd-ipfw@freebsd.org References: <573C803E.5020600@FreeBSD.org> <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> From: "Andrey V. Elsukov" Message-ID: <574C4F2D.6000304@yandex.ru> Date: Mon, 30 May 2016 17:33:17 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2016 14:33:54 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP Content-Type: multipart/mixed; boundary="6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0" From: "Andrey V. Elsukov" To: Julian Elischer , freebsd-ipfw@freebsd.org Message-ID: <574C4F2D.6000304@yandex.ru> Subject: Re: [RFC] ipfw named states support References: <573C803E.5020600@FreeBSD.org> <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> In-Reply-To: <3c2d7675-926d-5987-fef7-6e6799a43834@freebsd.org> --6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 30.05.16 07:56, Julian Elischer wrote: > On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: >> Hi All, >> >> We have the patch that adds named states support to ipfw. >=20 > like it and have wished for this for along time > this allows per-interface state. Can state name be set to a variable we= > can set or something? > then we could have subroutines that can be used for multiple interfaces= =2E > (I guess we need variables first) You are specifying the name when adding rule. E.g. # ipfw add allow tcp from me to any out igb1 keep-state igb1 # ipfw -d show 100 00100 317 36316 allow tcp from me to any out via igb1 keep-state igb1 ## Dynamic rules: 00100 5 317 (246s) STATE tcp A.B.C.144 21131 <-> C.D.E.93 22 igb1 00100 0 0 (1s) STATE tcp A.B.C.144 22 <-> F.G.35.120 30876 igb1 # ipfw -d show 200 300 00200 440 42779 allow ip from table(1) to me in keep-state SOME_NET 00300 119 17416 allow tcp from me to any out keep-state MY_OUTGOUING ## Dynamic rules (3 424): 00300 4 254 (286s) STATE tcp A.B.C.144 41280 <-> X.Y.178.135 22 MY_OUTGOUING 00300 3 244 (1s) STATE tcp A.B.C.144 22 <-> C.D.E.93 26951 MY_OUTGOUING 00200 343 33995 (286s) STATE tcp F.G.35.120 62486 <-> A.B.C.144 22 SOME_NET >> With named states we can create separate states for each interface and= >> they will not match when we don't want this. > what does the ipfw -d list output look like? The output is the same, just state name is added to the end of line. --=20 WBR, Andrey V. Elsukov --6cv9NtNWchVRkXo2SpgHCeOVnPwFFgDw0-- --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXTE8tAAoJEAHF6gQQyKF6khsH/2nKb0caQ6kkUiMDhCZDGMac 6cS7pBBEoErGq8LSgZqFFyNSLAveLkhDc51UxHEXYK1eEcw2bO8Mrc+3juQSAGAO KdDZyJpKrogWnN3Alq/VDspnR4TEerv5CSgdyCURxbgRiUp6upkPIaSm8WU/ScYL MVwlYLcSZVDCbxIG9TeFZGNOKVc+P5hltRRVHMYDePQXw2dW/YvaV763cfJ7znE2 3v5Qf+npWq88dYH8B9J+l9sWh75pizEUUARH9dZP1hl29TkK7+aauSkUuaOJVM5B ABs88iD4Dc/fXDVK3uwmvIwjUZ7lcGbHtxR7b5L3LP/mq81/JJXjKfx/vCsvLbU= =e4D3 -----END PGP SIGNATURE----- --q4UWhR3aTk4dowwLXe93fqihxqhdbNiOP--