From owner-freebsd-ipfw@freebsd.org Mon Jun 6 21:53:45 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61CEFB636BC for ; Mon, 6 Jun 2016 21:53:45 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:1900:2254:206a::19:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D5291B37; Mon, 6 Jun 2016 21:53:45 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id B44EE1A95; Mon, 6 Jun 2016 21:53:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Subject: Re: IPFW: more "orthogonal? state operations, push into 11? To: lev@FreeBSD.org, freebsd-ipfw@freebsd.org References: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org> Cc: "Alexander V. Chernikov" , Julian Elischer From: "Andrey V. Elsukov" Message-ID: <5755F0D3.9060909@FreeBSD.org> Date: Tue, 7 Jun 2016 00:53:23 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 21:53:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF Content-Type: multipart/mixed; boundary="5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0" From: "Andrey V. Elsukov" To: lev@FreeBSD.org, freebsd-ipfw@freebsd.org Cc: "Alexander V. Chernikov" , Julian Elischer Message-ID: <5755F0D3.9060909@FreeBSD.org> Subject: Re: IPFW: more "orthogonal? state operations, push into 11? References: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org> In-Reply-To: <9229d4f7-8466-57b0-c954-117736102bd7@FreeBSD.org> --5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 06.06.16 22:41, Lev Serebryakov wrote: >=20 > I still hope to see https://reviews.freebsd.org/D1776 committed before= > 11-RELEASE. >=20 > It seems to me, that I does everything what was requested by reviewers= =2E Hi Lev, looking at provided description and examples, seems the main task you want to solve is problem with NAT. But from my point of view, you are trying to solve it in a easy way wrongly using existing methods. As you described in patch to ipfw(8) "Problem is, you need to create dynamic rule before NAT and check it after NAT actions (or vice versa) to have consistent addresses and ports." In terms of ipfw(4) a state is represented by ipfw_flow_id structure. To solve your task you just needs two states - one for not translated flow and second - for translated. Due to limits of implementation this looks impossible to solve. But proposed patch with deferred action looks too hackish to me. With the following patch you will be able create two different states, I think, and solve your task with NAT and dynamic rules: https://reviews.freebsd.org/D6674 --=20 WBR, Andrey V. Elsukov --5DtqKvFN43bWq2CDFVnRFbIeOfPAaNTj0-- --4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXVfDYAAoJEAHF6gQQyKF6kzgH/06yoTWC0u145SmEjid96p9h j8l4M/qdvbekRVC5oHg1KjVpyCzDaZRYrvyXf5Sb3yK4EfUkbVBg33YkjlyYkY9Z o0antWtpmWOnM2+HRZt8NsVm2ofCZ+mH6paSmDWKd2+cDnBT1MSRpPTN0YYIRYhI +lDmSSESNIjdSizyYw6i5BBsjYbzeiFgfYVpoYK8UZS5NS2DnlFhdU4r2Jfmfqp1 1sTrqoW/iBt/4klSXoIaEk+LdG4KDUZ5A8kwrQpmLskfQ04e5xna+Ks+tu/NTHR5 eg8J2Lhi0pkXch7JcdVLx07Z/ei29rkCU2UgjvevQNZdzvoGKVonzy12+1fhiR0= =bO4z -----END PGP SIGNATURE----- --4uCd7gJ6rSo13fKl1CcJaITXRpfina5JF--