From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 16:13:33 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3043A14A; Tue, 3 Feb 2015 16:13:33 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id C4A31608; Tue, 3 Feb 2015 16:13:32 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 2CD2C5C002; Tue, 3 Feb 2015 19:13:16 +0300 (MSK) Message-ID: <54D0F39B.4070707@FreeBSD.org> Date: Tue, 03 Feb 2015 19:13:15 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-ipfw , freebsd-net Subject: [RFC][patch] New "keep-state-only" option Content-Type: multipart/mixed; boundary="------------050009060301010507000304" Cc: julian@freebsd.org, melifaro@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 16:13:33 -0000 This is a multi-part message in MIME format. --------------050009060301010507000304 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ok, "allow-state"/"deny-state" was very limited idea. Here is more universal mechanism: new "keep-state-only" (aliased as "record-only") option, which works exactly as "keep-state" BUT cancel match of rule after state creation. It allows to write stateful + nat firewall as easy as: nat 1 config if outIface 1000 skipto 2000 in skipto 3000 out deny all from any to any // Safeguard 2000 skipto 4000 recv inIface skipto 6000 recv outIface deny all from any to any // Safeguard 3000 skipto 5000 xmit inIface skipto 7000 xmit outIface deny all from any to any // Safeguard 4000 // For sake of simplicity! // Real firewall will have some checks about local network here allow all from any to any deny all from any to any // Safeguard 5000 // For sake of simplicity! // Real firewall will have some checks about local network here allow all from any to any deny all from any to any // Safeguard 6000 deny all not dst-ip $EXT_IP nat 1 all from any to any // All enabled with "keep-state-only" at block 7000 before NAT check-state all from any to any // Here could be accept rules for our servers or servers in DMZ // Disable everything else deny all from any to any 7000 // Here goes rules which could DISABLE outbound external traffic // Create state for "check-state" at block 6000 and fallthrough allow keep-state-only allow src-ip $EXT_IP // Save NAT some work nat 1 all from any to any allow all from any to any deny all from any to any // Safeguard And variants with multiple NATs and "nat global" becomes as easy as this, too! No stupid "skipto", no "keep-state" at "incoming from local network" parts of firewall, nothing! P.S. I HATE this "all any to any" part! - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePR+gP/1Oxi+h7pi0UlnqfrKyfHJRS FUbrMNeR9NATnTwxIK1UxNT1kF3m7wiwnFlgwW7rwLtTviFB1wK/pfd38l2h4t/w qUbtyK4PFMCq8I6wAJIB0qUl3C/mN1rwc+LSJJyFM07R52snoQs6FvkIYkCz0fOy Cak1f/P+scc21IRhFvYJXMMDO/1Y1nkxZk/HdHbn1GELpTXuHugvL1T9hHl98sqO HKlHnvtqAVlyZn9Sv3uC9nsyjFA2sdOCtb67UGnPDV3CIs4Jwj5CSst5jbz13qFG aXF8ZSm0coPJMUjH1PSogZM9Xiq23yZ47V0mesBxQsHL24548jM/wKcsR3buDjP7 NJ2rqo2OBCzTu6VCK2oIY5j9A6vq1mu8+/eBs5jF4C2k0xHiw53Okou7zOCA0gJ+ z+VGZvD3la/+tFjacty7Ra7LLNA8kNCnRa0QML7LOJ1/99a4l3Z/uGFxy5zYnk7d p27Y85CAhTJQjkYZSGAiFD5SE4XxRqtSJ9OL89w7vLxoHqW0rqwi+DVrr9uvXQZS 8Z5G5iQARG4ygXuKsl6MlwChCXa3ucbOs41lorrug94cuVCwGg859zBZY3dpQsKz XIhtVQS21wPLxXywzIc678ar4uKVWNiaRWg+k57O7375gAszvqujRuTEcfHRf/T+ gHJJZt8Tc+en4bw8XItY =wOAJ -----END PGP SIGNATURE----- --------------050009060301010507000304 Content-Type: text/plain; charset=windows-1251; name="ipfw-state-only.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw-state-only.diff" SW5kZXg6IHNiaW4vaXBmdy9pcGZ3LjgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc2Jpbi9pcGZ3L2lw ZncuOAkocmV2aXNpb24gMjc4MTUxKQorKysgc2Jpbi9pcGZ3L2lwZncuOAkod29ya2luZyBj b3B5KQpAQCAtMTY2LDcgKzE2Niw4IEBACiBkZXBlbmRpbmcgb24gaG93IHRoZSBrZXJuZWwg aXMgY29uZmlndXJlZC4KIC5QcAogSWYgdGhlIHJ1bGVzZXQgaW5jbHVkZXMgb25lIG9yIG1v cmUgcnVsZXMgd2l0aCB0aGUKLS5DbSBrZWVwLXN0YXRlCisuQ20ga2VlcC1zdGF0ZSAsCisu Q20ga2VlcC1zdGF0ZS1vbmx5CiBvcgogLkNtIGxpbWl0CiBvcHRpb24sCkBAIC0xODAsNyAr MTgxLDggQEAKIER5bmFtaWMgcnVsZXMsIHdoaWNoIGhhdmUgYSBsaW1pdGVkIGxpZmV0aW1l LCBhcmUgY2hlY2tlZAogYXQgdGhlIGZpcnN0IG9jY3VycmVuY2Ugb2YgYQogLkNtIGNoZWNr LXN0YXRlICwKLS5DbSBrZWVwLXN0YXRlCisuQ20ga2VlcC1zdGF0ZSAsCisuQ20ga2VlcC1z dGF0ZS1vbmx5CiBvcgogLkNtIGxpbWl0CiBydWxlLCBhbmQgYXJlIHR5cGljYWxseSB1c2Vk IHRvIG9wZW4gdGhlIGZpcmV3YWxsIG9uLWRlbWFuZCB0bwpAQCAtNTgyLDcgKzU4NCw4IEBA CiBwYWNrZXQgZGVsaXZlcnkuCiAuUHAKIE5vdGU6IHRoaXMgY29uZGl0aW9uIGlzIGNoZWNr ZWQgYmVmb3JlIGFueSBvdGhlciBjb25kaXRpb24sIGluY2x1ZGluZwotb25lcyBzdWNoIGFz IGtlZXAtc3RhdGUgb3IgY2hlY2stc3RhdGUgd2hpY2ggbWlnaHQgaGF2ZSBzaWRlIGVmZmVj dHMuCitvbmVzIHN1Y2ggYXMga2VlcC1zdGF0ZSwga2VlcC1zdGF0LW9ubHkgb3IgY2hlY2st c3RhdGUgd2hpY2ggbWlnaHQgaGF2ZQorc2lkZSBlZmZlY3RzLgogLkl0IENtIGxvZyBPcCBD bSBsb2dhbW91bnQgQXIgbnVtYmVyCiBQYWNrZXRzIG1hdGNoaW5nIGEgcnVsZSB3aXRoIHRo ZQogLkNtIGxvZwpAQCAtNzQ4LDcgKzc1MSw4IEBACiBJZiBubwogLkNtIGNoZWNrLXN0YXRl CiBydWxlIGlzIGZvdW5kLCB0aGUgZHluYW1pYyBydWxlc2V0IGlzIGNoZWNrZWQgYXQgdGhl IGZpcnN0Ci0uQ20ga2VlcC1zdGF0ZQorLkNtIGtlZXAtc3RhdGUgLAorLkNtIGtlZXAtc3Rh dGUtb25seSAsCiBvcgogLkNtIGxpbWl0CiBydWxlLgpAQCAtMTU4Myw2ICsxNTg3LDE0IEBA CiAuWHIgc3lzY3RsIDgKIHZhcmlhYmxlcyksIGFuZCB0aGUgbGlmZXRpbWUgaXMgcmVmcmVz aGVkIGV2ZXJ5IHRpbWUgYSBtYXRjaGluZwogcGFja2V0IGlzIGZvdW5kLgorLkl0IENtIGtl ZXAtc3RhdGUtb25seSB8IHJlY29yZC1vbmx5CitVcG9uIGEgbWF0Y2gsIHRoZSBmaXJld2Fs bCB3aWxsIGNyZWF0ZSBhIGR5bmFtaWMgcnVsZSBhcyBpZgorLkNtIGtlZXAtc3RhdGUKK3dh cyBzcGVjaWZpZWQsIGJ1dCBhZnRlciB0aGF0IG1hdGNoIGlzIGNhbmNlbGxlZCBhbmQgdGhl IHNlYXJjaAorY29udGludWVzIHdpdGggdGhlIG5leHQgcnVsZS4KK09uIGR5bmFtaWMgcnVs ZSBtYXRjaCBhY3Rpb24sIHNwZWNpZmllZCBpbiB0aGlzIHJ1bGUsCitwZXJmb3JtZWQgYXMg aWYgcnVsZSBjb250YWlucworLkNtIGtlZXAtc3RhdGUgLgogLkl0IENtIGxheWVyMgogTWF0 Y2hlcyBvbmx5IGxheWVyMiBwYWNrZXRzLCBpLmUuLCB0aG9zZSBwYXNzZWQgdG8KIC5ObQpJ bmRleDogc2Jpbi9pcGZ3L2lwZncyLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc2Jpbi9pcGZ3L2lw ZncyLmMJKHJldmlzaW9uIDI3ODE1MSkKKysrIHNiaW4vaXBmdy9pcGZ3Mi5jCSh3b3JraW5n IGNvcHkpCkBAIC0yOTIsNiArMjkyLDggQEAKIAl7ICJpbiIsCQkJVE9LX0lOIH0sCiAJeyAi bGltaXQiLAkJVE9LX0xJTUlUIH0sCiAJeyAia2VlcC1zdGF0ZSIsCQlUT0tfS0VFUFNUQVRF IH0sCisJeyAicmVjb3JkLXN0YXRlIiwJVE9LX1NUQVRFX09OTFkgfSwKKwl7ICJrZWVwLXN0 YXRlLW9ubHkiLAlUT0tfU1RBVEVfT05MWSB9LAogCXsgImJyaWRnZWQiLAkJVE9LX0xBWUVS MiB9LAogCXsgImxheWVyMiIsCQlUT0tfTEFZRVIyIH0sCiAJeyAib3V0IiwJCVRPS19PVVQg fSwKQEAgLTE5OTMsNiArMTk5NSwxMCBAQAogCQkJCWJwcmludGYoYnAsICIga2VlcC1zdGF0 ZSIpOwogCQkJCWJyZWFrOwogCisJCQljYXNlIE9fU1RBVEVfT05MWToKKwkJCQlicHJpbnRm KGJwLCAiIGtlZXAtc3RhdGUtb25seSIpOworCQkJCWJyZWFrOworCiAJCQljYXNlIE9fTElN SVQ6IHsKIAkJCQlzdHJ1Y3QgX3NfeCAqcCA9IGxpbWl0X21hc2tzOwogCQkJCWlwZndfaW5z bl9saW1pdCAqYyA9IChpcGZ3X2luc25fbGltaXQgKiljbWQ7CkBAIC00MzM1LDE0ICs0MzQx LDE2IEBACiAJCQlicmVhazsKIAogCQljYXNlIFRPS19LRUVQU1RBVEU6CisJCWNhc2UgVE9L X1NUQVRFX09OTFk6CiAJCQlpZiAob3Blbl9wYXIpCi0JCQkJZXJyeChFWF9VU0FHRSwgImtl ZXAtc3RhdGUgY2Fubm90IGJlIHBhcnQgIgorCQkJCWVycngoRVhfVVNBR0UsICJrZWVwLXN0 YXRlIG9yIGtlZXAtc3RhdGUtb25seSBjYW5ub3QgYmUgcGFydCAiCiAJCQkJICAgICJvZiBh biBvciBibG9jayIpOwogCQkJaWYgKGhhdmVfc3RhdGUpCiAJCQkJZXJyeChFWF9VU0FHRSwg Im9ubHkgb25lIG9mIGtlZXAtc3RhdGUgIgogCQkJCQkiYW5kIGxpbWl0IGlzIGFsbG93ZWQi KTsKIAkJCWhhdmVfc3RhdGUgPSBjbWQ7Ci0JCQlmaWxsX2NtZChjbWQsIE9fS0VFUF9TVEFU RSwgMCwgMCk7CisJCQlmaWxsX2NtZChjbWQsIGkgPT0gVE9LX0tFRVBTVEFURSA/CisJCQkJ T19LRUVQX1NUQVRFIDogT19TVEFURV9PTkxZLCAwLCAwKTsKIAkJCWJyZWFrOwogCiAJCWNh c2UgVE9LX0xJTUlUOiB7CkBAIC00NTg1LDcgKzQ1OTMsNyBAQAogCQlkc3QgPSBuZXh0X2Nt ZChkc3QsICZyYmxlbik7CiAJfQogCi0JLyogY29weSBhbGwgY29tbWFuZHMgYnV0IE9fTE9H LCBPX0tFRVBfU1RBVEUsIE9fTElNSVQsIE9fQUxUUSwgT19UQUcgKi8KKwkvKiBjb3B5IGFs bCBjb21tYW5kcyBidXQgT19MT0csIE9fS0VFUF9TVEFURSwgT19TVEFURV9PTkxZLCBPX0xJ TUlULCBPX0FMVFEsIE9fVEFHICovCiAJZm9yIChzcmMgPSAoaXBmd19pbnNuICopY21kYnVm OyBzcmMgIT0gY21kOyBzcmMgKz0gaSkgewogCQlpID0gRl9MRU4oc3JjKTsKIAkJQ0hFQ0tf UkJVRkxFTihpKTsKQEAgLTQ1OTMsNiArNDYwMSw3IEBACiAJCXN3aXRjaCAoc3JjLT5vcGNv ZGUpIHsKIAkJY2FzZSBPX0xPRzoKIAkJY2FzZSBPX0tFRVBfU1RBVEU6CisJCWNhc2UgT19T VEFURV9PTkxZOgogCQljYXNlIE9fTElNSVQ6CiAJCWNhc2UgT19BTFRROgogCQljYXNlIE9f VEFHOgpJbmRleDogc2Jpbi9pcGZ3L2lwZncyLmgKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc2Jpbi9p cGZ3L2lwZncyLmgJKHJldmlzaW9uIDI3ODE1MSkKKysrIHNiaW4vaXBmdy9pcGZ3Mi5oCSh3 b3JraW5nIGNvcHkpCkBAIC0yMjcsNiArMjI3LDcgQEAKIAlUT0tfTE9DSywKIAlUT0tfVU5M T0NLLAogCVRPS19WTElTVCwKKwlUT0tfU1RBVEVfT05MWSwKIH07CiAKIC8qCkluZGV4OiBz eXMvbmV0aW5ldC9pcF9mdy5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9uZXRpbmV0L2lwX2Z3 LmgJKHJldmlzaW9uIDI3ODE1MSkKKysrIHN5cy9uZXRpbmV0L2lwX2Z3LmgJKHdvcmtpbmcg Y29weSkKQEAgLTI1Miw2ICsyNTIsOCBAQAogCU9fRFNDUCwJCQkvKiAyIHUzMiA9IERTQ1Ag bWFzayAqLwogCU9fU0VURFNDUCwJCS8qIGFyZzE9RFNDUCB2YWx1ZSAqLwogCU9fSVBfRkxP V19MT09LVVAsCS8qIGFyZzE9dGFibGUgbnVtYmVyLCB1MzI9dmFsdWUJKi8KKwkKKwlPX1NU QVRFX09OTFksCQkvKiBub25lCQkJCSovCiAKIAlPX0xBU1RfT1BDT0RFCQkvKiBub3QgYW4g b3Bjb2RlIQkJKi8KIH07CkluZGV4OiBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3Mi5jCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIHN5cy9uZXRwZmlsL2lwZncvaXBfZncyLmMJKHJldmlzaW9uIDI3ODE1 MSkKKysrIHN5cy9uZXRwZmlsL2lwZncvaXBfZncyLmMJKHdvcmtpbmcgY29weSkKQEAgLTIx MDcsOSArMjEwNyw5IEBACiAJCQkgKiBPX1RBRywgT19MT0cgYW5kIE9fQUxUUSBhY3Rpb24g cGFyYW1ldGVyczoKIAkJCSAqICAgcGVyZm9ybSBzb21lIGFjdGlvbiBhbmQgc2V0IG1hdGNo ID0gMTsKIAkJCSAqCi0JCQkgKiBPX0xJTUlUIGFuZCBPX0tFRVBfU1RBVEU6IHRoZXNlIG9w Y29kZXMgYXJlCi0JCQkgKiAgIG5vdCByZWFsICdhY3Rpb25zJywgYW5kIGFyZSBzdG9yZWQg cmlnaHQKLQkJCSAqICAgYmVmb3JlIHRoZSAnYWN0aW9uJyBwYXJ0IG9mIHRoZSBydWxlLgor CQkJICogT19MSU1JVCwgT19LRUVQX1NUQVRFIGFuZCBPX1NUQVRFX09OTFk6IHRoZXNlCisJ CQkgKiAgIG9wY29kZXMgYXJlIG5vdCByZWFsICdhY3Rpb25zJywgYW5kIGFyZSBzdG9yZWQK KwkJCSAqICAgcmlnaHQgYmVmb3JlIHRoZSAnYWN0aW9uJyBwYXJ0IG9mIHRoZSBydWxlLgog CQkJICogICBUaGVzZSBvcGNvZGVzIHRyeSB0byBpbnN0YWxsIGFuIGVudHJ5IGluIHRoZQog CQkJICogICBzdGF0ZSB0YWJsZXM7IGlmIHN1Y2Nlc3NmdWwsIHdlIGNvbnRpbnVlIHdpdGgK IAkJCSAqICAgdGhlIG5leHQgb3Bjb2RlIChtYXRjaD0xOyBicmVhazspLCBvdGhlcndpc2UK QEAgLTIxMjYsOSArMjEyNiwyMCBAQAogCQkJICogICBmdXJ0aGVyIGluc3RhbmNlcyBvZiB0 aGVzZSBvcGNvZGVzIGJlY29tZSBOT1BzLgogCQkJICogICBUaGUganVtcCB0byB0aGUgbmV4 dCBydWxlIGlzIGRvbmUgYnkgc2V0dGluZwogCQkJICogICBsPTAsIGNtZGxlbj0wLgorCQkJ ICoKKwkJCSAqIE9fU1RBVEVfT05MWTogdGhpcyBvcGNvZGUgaXMgbm90IHJlYWwgJ2FjdGlv bicKKwkJCSAqICB0b28sIGFuZCBpcyBzdG9yZWQgcmlnaHQgYmVmb3JlIHRoZSAnYWN0aW9u JworCQkJICogIHBhcnQgb2YgdGhlIHJ1bGUsIHJpZ2h0IGFmdGVyIE9fS0VFUF9TVEFURQor CQkJICogIG9wY29kZS4gSXQgY2F1c2VzIG1hdGNoIGZhaWx1cmUgc28gcmVhbAorCQkJICog ICdhY3Rpb24nIGNvdWxkIGJlIGV4ZWN1dGVkIG9ubHkgaWYgcnVsZQorCQkJICogIGlzIGNo ZWNrZWQgdmlhIGR5bmFtaWMgcnVsZSBmcm9tIHN0YXRlCisJCQkgKiAgdGFibGUsIGFzIGlu IHN1Y2ggY2FzZSBleGVjdXRpb24gc3RhcnRzCisJCQkgKiAgZnJvbSB0cnVlICdhY3Rpb24n IG9wY29kZSBkaXJlY3RseS4KKwkJCSAqICAgCiAJCQkgKi8KIAkJCWNhc2UgT19MSU1JVDoK IAkJCWNhc2UgT19LRUVQX1NUQVRFOgorCQkJY2FzZSBPX1NUQVRFX09OTFk6CiAJCQkJaWYg KGlwZndfaW5zdGFsbF9zdGF0ZShjaGFpbiwgZiwKIAkJCQkgICAgKGlwZndfaW5zbl9saW1p dCAqKWNtZCwgYXJncywgdGFibGVhcmcpKSB7CiAJCQkJCS8qIGVycm9yIG9yIGxpbWl0IHZp b2xhdGlvbiAqLwpAQCAtMjEzNiw3ICsyMTQ3LDExIEBACiAJCQkJCWwgPSAwOwkvKiBleGl0 IGlubmVyIGxvb3AgKi8KIAkJCQkJZG9uZSA9IDE7IC8qIGV4aXQgb3V0ZXIgbG9vcCAqLwog CQkJCX0KLQkJCQltYXRjaCA9IDE7CisJCQkJaWYgKGNtZC0+b3Bjb2RlID09IE9fU1RBVEVf T05MWSkgeworCQkJCQlsID0gMDsJLyogZXhpdCBpbm5lciBsb29wICovCisJCQkJCW1hdGNo ID0gMDsKKwkJCQl9IGVsc2UKKwkJCQkJbWF0Y2ggPSAxOwogCQkJCWJyZWFrOwogCiAJCQlj YXNlIE9fUFJPQkVfU1RBVEU6CkBAIC0yMTg4LDYgKzIyMDMsNyBAQAogCQkJCWJyZWFrOwog CiAJCQljYXNlIE9fQUNDRVBUOgorCiAJCQkJcmV0dmFsID0gMDsJLyogYWNjZXB0ICovCiAJ CQkJbCA9IDA7CQkvKiBleGl0IGlubmVyIGxvb3AgKi8KIAkJCQlkb25lID0gMTsJLyogZXhp dCBvdXRlciBsb29wICovCkBAIC0yNTM3LDcgKzI1NTMsNyBAQAogCQkJCWRvbmUgPSAxOwkv KiBleGl0IG91dGVyIGxvb3AgKi8KIAkJCQlicmVhazsKIAkJCX0KLQorCQkJCiAJCQlkZWZh dWx0OgogCQkJCXBhbmljKCItLSB1bmtub3duIG9wY29kZSAlZFxuIiwgY21kLT5vcGNvZGUp OwogCQkJfSAvKiBlbmQgb2Ygc3dpdGNoKCkgb24gb3Bjb2RlcyAqLwpJbmRleDogc3lzL25l dHBmaWwvaXBmdy9pcF9md19keW5hbWljLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lzL25ldHBm aWwvaXBmdy9pcF9md19keW5hbWljLmMJKHJldmlzaW9uIDI3ODE1MSkKKysrIHN5cy9uZXRw ZmlsL2lwZncvaXBfZndfZHluYW1pYy5jCSh3b3JraW5nIGNvcHkpCkBAIC03MDgsNiArNzA4 LDcgQEAKIAogCXN3aXRjaCAoY21kLT5vLm9wY29kZSkgewogCWNhc2UgT19LRUVQX1NUQVRF OgkvKiBiaWRpciBydWxlICovCisJY2FzZSBPX1NUQVRFX09OTFk6CiAJCXEgPSBhZGRfZHlu X3J1bGUoJmFyZ3MtPmZfaWQsIGksIE9fS0VFUF9TVEFURSwgcnVsZSk7CiAJCWJyZWFrOwog CkBAIC0xMzU3LDYgKzEzNTgsNyBAQAogCQlzd2l0Y2ggKGNtZC0+b3Bjb2RlKSB7CiAJCWNh c2UgT19MSU1JVDoKIAkJY2FzZSBPX0tFRVBfU1RBVEU6CisJCWNhc2UgT19TVEFURV9PTkxZ OgogCQljYXNlIE9fUFJPQkVfU1RBVEU6CiAJCWNhc2UgT19DSEVDS19TVEFURToKIAkJCXJl dHVybiAoMSk7CkluZGV4OiBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3X3NvY2tvcHQuYwo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3X3NvY2tvcHQuYwkocmV2aXNp b24gMjc4MTUxKQorKysgc3lzL25ldHBmaWwvaXBmdy9pcF9md19zb2Nrb3B0LmMJKHdvcmtp bmcgY29weSkKQEAgLTE0MzMsNiArMTQzMyw3IEBACiAJCXN3aXRjaCAoY21kLT5vcGNvZGUp IHsKIAkJY2FzZSBPX1BST0JFX1NUQVRFOgogCQljYXNlIE9fS0VFUF9TVEFURToKKwkJY2Fz ZSBPX1NUQVRFX09OTFk6CiAJCWNhc2UgT19QUk9UTzoKIAkJY2FzZSBPX0lQX1NSQ19NRToK IAkJY2FzZSBPX0lQX0RTVF9NRToK --------------050009060301010507000304 Content-Type: application/octet-stream; name="ipfw-state-only.diff.sig" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw-state-only.diff.sig" iQJ8BAABCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9wZW5wZ3Au ZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFFQUIwM0M1OEJGREM0 NzhGAAoJEOqwPFi/3EeP+IYP/34Ksov2rvdf1N29a/AjpP64aqeG78LcIeiSem9Ai4s0P3tB xNQfUSmSUZh6C2wsRCxXP6ee3oMOSc4jbETBaedYHU446I0iX/GvD04SvHyyramYf+nU3gXq SF7GF5DbN3XHfqpihunaijLLZQz6zhwLuwPPSeLFG2xccc4o/8M+P6UHbyLDQNfOHR9YefmK 4bS7llfioqcDwb2bvmcD07wAXCxcKDzkefRcq3qyaPkIwxQ+A1CiTtyySpk6HjvEs1VogKRk 5iZbcAszmLMemIpXTUwNrScGaeCrnyCatAjtKTe9u26VI7X0XRP633a+/E/C7JJ6gHgWrmXF E9XVuaz7lWbjdsIlyGi1AW7fjzUxPCBoLopnwpqL0d3WX43OykR0U/x8euizlseGjnd13sWn Oly5i9SZAPJzvwR4F9wtmBgbHxqZu6fn1uC0xQPcjJsz/lsRno0lVFCUzmGNwPKJS4xvUSaq FfET86rxuzVQUhRHGupzMsqlKtAa7DTD/RSwVh05CMtoiGao7KR46nmly6fccGY4a2Gsvphh vR/xi4AdyqA/0+hPokBr/br1CGUZ72IkFs7h4tbG1u6Y2J1BED+hLb3ccOThTovQW9JCkK6l Osgt9KrWxAWsavIpTWljlWni8fi6cEULZGclx9yKUBizx/ht+8gHE+cj9xdy --------------050009060301010507000304--