From owner-freebsd-net@FreeBSD.ORG Mon Feb 2 19:17:38 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 47C7724F; Mon, 2 Feb 2015 19:17:38 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id DA68665B; Mon, 2 Feb 2015 19:17:37 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id EDCAE5C002; Mon, 2 Feb 2015 22:17:26 +0300 (MSK) Message-ID: <54CFCD45.9070304@FreeBSD.org> Date: Mon, 02 Feb 2015 22:17:25 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-ipfw , freebsd-net Subject: [RFC][patch] Two new actions: state-allow and state-deny Content-Type: multipart/mixed; boundary="------------040906070105090005040205" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2015 19:17:38 -0000 This is a multi-part message in MIME format. --------------040906070105090005040205 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Now to make stateful firewall with NAT you need to make some not very "readable" tricks to record state ("allow") of outbound connection before NAT, but pass packet to NAT after that. I know two: (a) skipto-nat-allow pattern from many HOWOTOs add 1000 skipto 2000 all from any to any out xmit outIface add 1010 skipto 3000 all from any to any in recv outIface add 2000 skipto 2010 from any to any keep-state add 2010 nat NR from any to any out // Note this "out" in out section! add 2020 allow all from any to any add 3000 nat NR from any to any add 3010 check-state // Use dynamic rule based on 2000 (b) Adding "allow keep-state" to _IN_ rules on _internal_ interfaces to check this states AFTER _IN_ nat on _external_ interfaces. I don't like both of them. First one is not very clear and needs additional "out" option on outbound NAT rule. Second one requires to have "allow keep-state" and "check-state" rules in different parts of firewall, on different interfaces, which is not very clear too and needs additional conditions for "allow keep-state" if you don't want stateful firewall for internal networks and only want states for external traffic. I propose two new actions: state-allow and state-deny. They imply "keep-state" and create new dynamic rules, when called directly, but pass packet to NEXT rule after that (don't stop search). When they are called as dynamic rule, they acts as "allow" and "deny". So, stateful firewall with NAT could be rewritten like this: add 1000 skipto 2000 all from any to any out xmit outIface add 1010 skipto 3000 all from any to any in recv outIface add 2000 state-allow from any to any // keep-state is implied add 2010 nat NR from any to any // No "out" here! add 2020 allow all from any to any add 3000 nat NR from any to any add 3010 check-state // Use dynamic rule based on 2000 as "allow" here What do you think? - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUz81EXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePkhwQAJg4s1Ipomi0lZTqa8pklExD GHvkeuVdm1RSakolwHf8M26a+Xg1zlIm0tD2PQ18FkaA1QTjwai7kyKu2SwhsvkF P7B3GE33Pj4dhMzhpnmSnxcjLZEAENENzAOnGBN47NM617KOkJmyRmH54RO8xFI8 UbctlfiWC0ECujlWC4HcLthlrI3ZemqeFK1llzQ+k0LgUDQ8eegFmrLCbMVbVKxJ 4HACPQzzPwzabZE+kifE1KDnOEthEuTXuMpL6pS98s8w+b92TFJsS40DqngWNuqv M2QCCJbLZRwoDRTkf3H8AlbdIk94CPFjJkmZd86ZUpKF3rVJ7VICH7SkV90P1hlm yRc/26jX2LvqyyKgxMDQ4UpJuSikxASHx/3mDOV83snxlXtwW0or6f+XSW1QVFFt 2OCo6DmwclQ2HzBaomy0QKqlKq09VzHJdEBtfsyBqKyQP2UG3/CDj6rwqc564rOb MDJFDtsMsquOgJTBSYLcAQhc8v9I3HUuELT/eyo3YCCrPKAAPtV89jWZ2dI+np3h utaVJxJ4qSyVp5R3H2MTvWdk1PPptygxx0UHMVyNTgSnsbczNsywWzELoOzTzEZn XS352D2dWXsvFV07cwtHovnY+vCKOXVI2ljJ6uHwZZlisJg4M+o80LChHT5jQ6nw 9DVWmu2YK6nC7aJI6Fy7 =TMJo -----END PGP SIGNATURE----- --------------040906070105090005040205 Content-Type: text/plain; charset=windows-1251; name="ipfw-state-actions.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw-state-actions.diff" SW5kZXg6IHNiaW4vaXBmdy9pcGZ3LjgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc2Jpbi9pcGZ3L2lw ZncuOAkocmV2aXNpb24gMjc4MDIxKQorKysgc2Jpbi9pcGZ3L2lwZncuOAkod29ya2luZyBj b3B5KQpAQCAtOTMyLDYgKzkzMiwyNiBAQAogLkVkCiAuUHAKIFRoaXMgY29zbWV0aWMgYW5u b3lhbmNlIG1heSBiZSBmaXhlZCBpbiBmdXR1cmUgcmVsZWFzZXMuCisuSXQgQ20gc3RhdGUt YWxsb3cKK0NyZWF0ZSBkeW5hbWljIHJ1bGUgd2hpY2ggYWN0cyBhcworLkNtIGFsbG93City dWxlIHdoZW4gY2hlY2tlZCB3aXRoCisuQ20gY2hlY2stc3RhdGUKK2FjdGlvbi4KK1doZW4g dGhpcyBhY3Rpb24gaXMgdGFrZW4gZGlyZWN0bHksIHNlYXJjaCBjb250aW51ZXMgd2l0aCB0 aGUgbmV4dCBydWxlLgorVGhpcyBhY3Rpb24gaW1wbGllcworLkNtIGtlZXAtc3RhdGUKK2lu c3RydWN0aW9uLgorLkl0IENtIHN0YXRlLWRlbnkKK0NyZWF0ZSBkeW5hbWljIHJ1bGUgd2hp Y2ggYWN0cyBhcworLkNtIGRlbnkKK3J1bGUgd2hlbiBjaGVja2VkIHdpdGgKKy5DbSBjaGVj ay1zdGF0ZQorYWN0aW9uLgorV2hlbiB0aGlzIGFjdGlvbiBpcyB0YWtlbiBkaXJlY3RseSwg c2VhcmNoIGNvbnRpbnVlcyB3aXRoIHRoZSBuZXh0IHJ1bGUuCitUaGlzIGFjdGlvbiBpbXBs aWVzCisuQ20ga2VlcC1zdGF0ZQoraW5zdHJ1Y3Rpb24uCiAuSXQgQ20gdGVlIEFyIHBvcnQK IFNlbmQgYSBjb3B5IG9mIHBhY2tldHMgbWF0Y2hpbmcgdGhpcyBydWxlIHRvIHRoZQogLlhy IGRpdmVydCA0CkluZGV4OiBzYmluL2lwZncvaXBmdzIuYwo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBz YmluL2lwZncvaXBmdzIuYwkocmV2aXNpb24gMjc4MDIxKQorKysgc2Jpbi9pcGZ3L2lwZncy LmMJKHdvcmtpbmcgY29weSkKQEAgLTI2NCw2ICsyNjQsMTIgQEAKIAl7ICJzZXRkc2NwIiwJ CVRPS19TRVREU0NQIH0sCiAJeyAiY2FsbCIsCQlUT0tfQ0FMTCB9LAogCXsgInJldHVybiIs CQlUT0tfUkVUVVJOIH0sCisJeyAic3RhdGUtYWNjZXB0IiwJVE9LX1NUQVRFX0FDQ0VQVCB9 LAorCXsgInN0YXRlLXBhc3MiLAkJVE9LX1NUQVRFX0FDQ0VQVCB9LAorCXsgInN0YXRlLWFs bG93IiwJVE9LX1NUQVRFX0FDQ0VQVCB9LAorCXsgInN0YXRlLXBlcm1pdCIsCVRPS19TVEFU RV9BQ0NFUFQgfSwKKwl7ICJzdGF0ZS1kZW55IiwJCVRPS19TVEFURV9ERU5ZIH0sCisJeyAi c3RhdGUtZHJvcCIsCQlUT0tfU1RBVEVfREVOWSB9LAogCXsgTlVMTCwgMCB9CS8qIHRlcm1p bmF0b3IgKi8KIH07CiAKQEAgLTE1ODQsNiArMTU5MCwxNCBAQAogCQkJCWJwcmludF91aW50 X2FyZyhicCwgImNhbGwgIiwgY21kLT5hcmcxKTsKIAkJCWJyZWFrOwogCisJCWNhc2UgT19T VEFURV9BQ0NFUFQ6CisJCQlicHJpbnRmKGJwLCAic3RhdGUtYWxsb3ciKTsKKwkJCWJyZWFr OworCisJCWNhc2UgT19TVEFURV9ERU5ZOgorCQkJYnByaW50ZihicCwgInN0YXRlLWRlbnki KTsKKwkJCWJyZWFrOworCiAJCWRlZmF1bHQ6CiAJCQlicHJpbnRmKGJwLCAiKiogdW5yZWNv Z25pemVkIGFjdGlvbiAlZCBsZW4gJWQgIiwKIAkJCQljbWQtPm9wY29kZSwgY21kLT5sZW4p OwpAQCAtMzgwNyw2ICszODIxLDE2IEBACiAJCWZpbGxfY21kKGFjdGlvbiwgT19DQUxMUkVU VVJOLCBGX05PVCwgMCk7CiAJCWJyZWFrOwogCisJY2FzZSBUT0tfU1RBVEVfQUNDRVBUOgor CQloYXZlX3N0YXRlID0gYWN0aW9uOworCQlhY3Rpb24tPm9wY29kZSA9IE9fU1RBVEVfQUND RVBUOworCQlicmVhazsKKworCWNhc2UgVE9LX1NUQVRFX0RFTlk6CisJCWhhdmVfc3RhdGUg PSBhY3Rpb247CisJCWFjdGlvbi0+b3Bjb2RlID0gT19TVEFURV9ERU5ZOworCQlicmVhazsK KwogCWRlZmF1bHQ6CiAJCWVycngoRVhfREFUQUVSUiwgImludmFsaWQgYWN0aW9uICVzXG4i LCBhdlstMV0pOwogCX0KQEAgLTM4OTgsNyArMzkyMiw3IEBACiAJCWNtZCA9IG5leHRfY21k KGNtZCwgJmNibGVuKTsKIAl9CiAKLQlpZiAoaGF2ZV9zdGF0ZSkJLyogbXVzdCBiZSBhIGNo ZWNrLXN0YXRlLCB3ZSBhcmUgZG9uZSAqLworCWlmIChoYXZlX3N0YXRlICYmIGhhdmVfc3Rh dGUtPm9wY29kZSA9PSBUT0tfQ0hFQ0tTVEFURSkJLyogY2hlY2stc3RhdGUsIHdlIGFyZSBk b25lICovCiAJCWdvdG8gZG9uZTsKIAogI2RlZmluZSBPUl9TVEFSVCh0YXJnZXQpCQkJCQlc CkBAIC00NTgwLDcgKzQ2MDQsOSBAQAogCS8qCiAJICogZ2VuZXJhdGUgT19QUk9CRV9TVEFU RSBpZiBuZWNlc3NhcnkKIAkgKi8KLQlpZiAoaGF2ZV9zdGF0ZSAmJiBoYXZlX3N0YXRlLT5v cGNvZGUgIT0gT19DSEVDS19TVEFURSkgeworCWlmIChoYXZlX3N0YXRlICYmIGhhdmVfc3Rh dGUtPm9wY29kZSAhPSBPX0NIRUNLX1NUQVRFICYmCisJICAgIGhhdmVfc3RhdGUtPm9wY29k ZSAhPSBPX1NUQVRFX0FDQ0VQVCAmJgorCSAgICBoYXZlX3N0YXRlLT5vcGNvZGUgIT0gT19T VEFURV9ERU5ZKSB7CiAJCWZpbGxfY21kKGRzdCwgT19QUk9CRV9TVEFURSwgMCwgMCk7CiAJ CWRzdCA9IG5leHRfY21kKGRzdCwgJnJibGVuKTsKIAl9CkBAIC00NjA2LDcgKzQ2MzIsOSBA QAogCS8qCiAJICogcHV0IGJhY2sgdGhlIGhhdmVfc3RhdGUgY29tbWFuZCBhcyBsYXN0IG9w Y29kZQogCSAqLwotCWlmIChoYXZlX3N0YXRlICYmIGhhdmVfc3RhdGUtPm9wY29kZSAhPSBP X0NIRUNLX1NUQVRFKSB7CisJaWYgKGhhdmVfc3RhdGUgJiYgaGF2ZV9zdGF0ZS0+b3Bjb2Rl ICE9IE9fQ0hFQ0tfU1RBVEUgJiYKKwkgICAgaGF2ZV9zdGF0ZS0+b3Bjb2RlICE9IE9fU1RB VEVfQUNDRVBUICYmCisJICAgIGhhdmVfc3RhdGUtPm9wY29kZSAhPSBPX1NUQVRFX0RFTlkp IHsKIAkJaSA9IEZfTEVOKGhhdmVfc3RhdGUpOwogCQlDSEVDS19SQlVGTEVOKGkpOwogCQli Y29weShoYXZlX3N0YXRlLCBkc3QsIGkgKiBzaXplb2YodWludDMyX3QpKTsKSW5kZXg6IHNi aW4vaXBmdy9pcGZ3Mi5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHNiaW4vaXBmdy9pcGZ3Mi5oCShy ZXZpc2lvbiAyNzgwMjEpCisrKyBzYmluL2lwZncvaXBmdzIuaAkod29ya2luZyBjb3B5KQpA QCAtMTAzLDYgKzEwMyw4IEBACiAJVE9LX1JFQVNTLAogCVRPS19DQUxMLAogCVRPS19SRVRV Uk4sCisJVE9LX1NUQVRFX0FDQ0VQVCwKKwlUT0tfU1RBVEVfREVOWSwKIAogCVRPS19BTFRR LAogCVRPS19MT0csCkluZGV4OiBzeXMvbmV0aW5ldC9pcF9mdy5oCj09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIHN5cy9uZXRpbmV0L2lwX2Z3LmgJKHJldmlzaW9uIDI3ODAyMSkKKysrIHN5cy9uZXRp bmV0L2lwX2Z3LmgJKHdvcmtpbmcgY29weSkKQEAgLTI1Myw2ICsyNTMsOSBAQAogCU9fU0VU RFNDUCwJCS8qIGFyZzE9RFNDUCB2YWx1ZSAqLwogCU9fSVBfRkxPV19MT09LVVAsCS8qIGFy ZzE9dGFibGUgbnVtYmVyLCB1MzI9dmFsdWUJKi8KIAorCU9fU1RBVEVfQUNDRVBULAkJLyog bm9uZQkJCQkqLworCU9fU1RBVEVfREVOWSwJCS8qIG5vbmUgCQkJKi8KKwogCU9fTEFTVF9P UENPREUJCS8qIG5vdCBhbiBvcGNvZGUhCQkqLwogfTsKIApJbmRleDogc3lzL25ldHBmaWwv aXBmdy9pcF9mdzIuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3 Mi5jCShyZXZpc2lvbiAyNzgwMjEpCisrKyBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3Mi5jCSh3 b3JraW5nIGNvcHkpCkBAIC0xODU2LDcgKzE4NTYsNyBAQAogCiAJCQljYXNlIE9fTE9HOgog CQkJCWlwZndfbG9nKGNoYWluLCBmLCBobGVuLCBhcmdzLCBtLAotCQkJCSAgICBvaWYsIG9m ZnNldCB8IGlwNmZfbWYsIHRhYmxlYXJnLCBpcCk7CisJCQkJICAgIG9pZiwgb2Zmc2V0IHwg aXA2Zl9tZiwgdGFibGVhcmcsIGlwLCBxKTsKIAkJCQltYXRjaCA9IDE7CiAJCQkJYnJlYWs7 CiAKQEAgLTIxODgsNyArMjE4OCw3IEBACiAJCQkJYnJlYWs7CiAKIAkJCWNhc2UgT19BQ0NF UFQ6Ci0JCQkJcmV0dmFsID0gMDsJLyogYWNjZXB0ICovCisJCQkJcmV0dmFsID0gSVBfRldf UEFTUzsJLyogYWNjZXB0ICovCiAJCQkJbCA9IDA7CQkvKiBleGl0IGlubmVyIGxvb3AgKi8K IAkJCQlkb25lID0gMTsJLyogZXhpdCBvdXRlciBsb29wICovCiAJCQkJYnJlYWs7CkBAIC0y NTM4LDYgKzI1MzgsMjQgQEAKIAkJCQlicmVhazsKIAkJCX0KIAorCQkJY2FzZSBPX1NUQVRF X0FDQ0VQVDoKKwkJCWNhc2UgT19TVEFURV9ERU5ZOiB7CisJCQkJbCA9IDA7CS8qIGluIGFu eSBjYXNlIGV4aXQgaW5uZXIgbG9vcCAqLworCQkJCWlmIChxID09IE5VTEwgfHwgcS0+cnVs ZSAhPSBmKSB7CisJCQkJCWlmIChpcGZ3X2luc3RhbGxfc3RhdGUoY2hhaW4sIGYsCisJCQkJ CSAgICAoaXBmd19pbnNuX2xpbWl0ICopY21kLCBhcmdzLCB0YWJsZWFyZykpIHsKKwkJCQkJ CS8qIGVycm9yIG9yIGxpbWl0IHZpb2xhdGlvbiAqLworCQkJCQkJcmV0dmFsID0gSVBfRldf REVOWTsKKwkJCQkJCWRvbmUgPSAxOyAvKiBleGl0IG91dGVyIGxvb3AgKi8KKwkJCQkJfQor CQkJCX0gZWxzZSB7CisJCQkJCXJldHZhbCA9IGNtZC0+b3Bjb2RlID09IE9fU1RBVEVfQUND RVBUID8KKwkJCQkJICAgIElQX0ZXX1BBU1MgOiBJUF9GV19ERU5ZOworCQkJCQlkb25lID0g MTsJLyogZXhpdCBvdXRlciBsb29wICovCisJCQkJfQorCQkJCWJyZWFrOworCQkJfQorCiAJ CQlkZWZhdWx0OgogCQkJCXBhbmljKCItLSB1bmtub3duIG9wY29kZSAlZFxuIiwgY21kLT5v cGNvZGUpOwogCQkJfSAvKiBlbmQgb2Ygc3dpdGNoKCkgb24gb3Bjb2RlcyAqLwpJbmRleDog c3lzL25ldHBmaWwvaXBmdy9pcF9md19keW5hbWljLmMKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lz L25ldHBmaWwvaXBmdy9pcF9md19keW5hbWljLmMJKHJldmlzaW9uIDI3ODAyMSkKKysrIHN5 cy9uZXRwZmlsL2lwZncvaXBfZndfZHluYW1pYy5jCSh3b3JraW5nIGNvcHkpCkBAIC03MDgs NiArNzA4LDggQEAKIAogCXN3aXRjaCAoY21kLT5vLm9wY29kZSkgewogCWNhc2UgT19LRUVQ X1NUQVRFOgkvKiBiaWRpciBydWxlICovCisJY2FzZSBPX1NUQVRFX0FMTE9XOgorCWNhc2Ug T19TVEFURV9ERU5ZOgogCQlxID0gYWRkX2R5bl9ydWxlKCZhcmdzLT5mX2lkLCBpLCBPX0tF RVBfU1RBVEUsIHJ1bGUpOwogCQlicmVhazsKIApJbmRleDogc3lzL25ldHBmaWwvaXBmdy9p cF9md19sb2cuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3X2xv Zy5jCShyZXZpc2lvbiAyNzgwMjEpCisrKyBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3X2xvZy5j CSh3b3JraW5nIGNvcHkpCkBAIC0yNDgsNyArMjQ4LDcgQEAKIHZvaWQKIGlwZndfbG9nKHN0 cnVjdCBpcF9md19jaGFpbiAqY2hhaW4sIHN0cnVjdCBpcF9mdyAqZiwgdV9pbnQgaGxlbiwK ICAgICBzdHJ1Y3QgaXBfZndfYXJncyAqYXJncywgc3RydWN0IG1idWYgKm0sIHN0cnVjdCBp Zm5ldCAqb2lmLAotICAgIHVfc2hvcnQgb2Zmc2V0LCB1aW50MzJfdCB0YWJsZWFyZywgc3Ry dWN0IGlwICppcCkKKyAgICB1X3Nob3J0IG9mZnNldCwgdWludDMyX3QgdGFibGVhcmcsIHN0 cnVjdCBpcCAqaXAsIGlwZndfZHluX3J1bGUgKnEpCiB7CiAJY2hhciAqYWN0aW9uOwogCWlu dCBsaW1pdF9yZWFjaGVkID0gMDsKQEAgLTQxOSw2ICs0MTksMTggQEAKIAkJCQlzbnByaW50 ZihTTlBBUkdTKGFjdGlvbjIsIDApLCAiQ2FsbCAlZCIsCiAJCQkJICAgIGNtZC0+YXJnMSk7 CiAJCQlicmVhazsKKwkJY2FzZSBPX1NUQVRFX0FDQ0VQVDoKKwkJCWlmIChxICE9IE5VTEwg JiYgcS0+cnVsZSA9PSBmKQorCQkJCWFjdGlvbiA9ICJBY2NlcHQiOworCQkJZWxzZQorCQkJ CWFjdGlvbiA9ICJDcmVhdGUgYWNjZXB0IHN0YXRlIjsKKwkJCWJyZWFrOworCQljYXNlIE9f U1RBVEVfREVOWToKKwkJCWlmIChxICE9IE5VTEwgJiYgcS0+cnVsZSA9PSBmKQorCQkJCWFj dGlvbiA9ICJEZW55IjsKKwkJCWVsc2UKKwkJCQlhY3Rpb24gPSAiQ3JlYXRlIGRlbnkgc3Rh dGUiOworCQkJYnJlYWs7CiAJCWRlZmF1bHQ6CiAJCQlhY3Rpb24gPSAiVU5LTk9XTiI7CiAJ CQlicmVhazsKSW5kZXg6IHN5cy9uZXRwZmlsL2lwZncvaXBfZndfcHJpdmF0ZS5oCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIHN5cy9uZXRwZmlsL2lwZncvaXBfZndfcHJpdmF0ZS5oCShyZXZpc2lv biAyNzgwMjEpCisrKyBzeXMvbmV0cGZpbC9pcGZ3L2lwX2Z3X3ByaXZhdGUuaAkod29ya2lu ZyBjb3B5KQpAQCAtMTU0LDcgKzE1NCw3IEBACiB2b2lkIGlwZndfbG9nX2JwZihpbnQpOwog dm9pZCBpcGZ3X2xvZyhzdHJ1Y3QgaXBfZndfY2hhaW4gKmNoYWluLCBzdHJ1Y3QgaXBfZncg KmYsIHVfaW50IGhsZW4sCiAgICAgc3RydWN0IGlwX2Z3X2FyZ3MgKmFyZ3MsIHN0cnVjdCBt YnVmICptLCBzdHJ1Y3QgaWZuZXQgKm9pZiwKLSAgICB1X3Nob3J0IG9mZnNldCwgdWludDMy X3QgdGFibGVhcmcsIHN0cnVjdCBpcCAqaXApOworICAgIHVfc2hvcnQgb2Zmc2V0LCB1aW50 MzJfdCB0YWJsZWFyZywgc3RydWN0IGlwICppcCwgaXBmd19keW5fcnVsZSAqcSk7CiBWTkVU X0RFQ0xBUkUodV9pbnQ2NF90LCBub3J1bGVfY291bnRlcik7CiAjZGVmaW5lCVZfbm9ydWxl X2NvdW50ZXIJVk5FVChub3J1bGVfY291bnRlcikKIFZORVRfREVDTEFSRShpbnQsIHZlcmJv c2VfbGltaXQpOwpJbmRleDogc3lzL25ldHBmaWwvaXBmdy9pcF9md19zb2Nrb3B0LmMKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gc3lzL25ldHBmaWwvaXBmdy9pcF9md19zb2Nrb3B0LmMJKHJldmlz aW9uIDI3ODAyMSkKKysrIHN5cy9uZXRwZmlsL2lwZncvaXBfZndfc29ja29wdC5jCSh3b3Jr aW5nIGNvcHkpCkBAIC0xNjQ1LDYgKzE2NDUsOCBAQAogCQljYXNlIE9fU0tJUFRPOgogCQlj YXNlIE9fUkVBU1M6CiAJCWNhc2UgT19DQUxMUkVUVVJOOgorCQljYXNlIE9fU1RBVEVfQUND RVBUOgorCQljYXNlIE9fU1RBVEVfREVOWToKIGNoZWNrX3NpemU6CiAJCQlpZiAoY21kbGVu ICE9IEZfSU5TTl9TSVpFKGlwZndfaW5zbikpCiAJCQkJZ290byBiYWRfc2l6ZTsK --------------040906070105090005040205 Content-Type: application/octet-stream; name="ipfw-state-actions.diff.sig" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipfw-state-actions.diff.sig" iQJ8BAABCgBmBQJUz81FXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9wZW5wZ3Au ZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFFQUIwM0M1OEJGREM0 NzhGAAoJEOqwPFi/3EePADAP/3EHzxUT1adKBR/DeDZ4gx5laQcFfc22KbN5v/b4ccHyrc+X /25W6ejKGSPU92wTyUX2QX3Y2u80SmkSYEd9gOV8JWgepwhK3aObuIKbr7tG0TOmRlXO533+ pUkgV0VAGPyXrsUtd3fPORYOGqc4AMCGP357efFIZdD3DPLnUgFaSN+StLH/zXC+eEOSTc9Q YauXwK0mpt9C7DCNq4oKQ+t9z7QeVFnTIzZzhGhgA4ZMsOD19mPDDOBRPIAncZkc7CvpLxQp Br6clTHOyzu4I1wLo8QDE5TAPpfMRTvbseQXbnVVPuFpZI5O6gVqqr8ldhJUdx95rnBjMees TvuR4VGDcfgRHTZU7+fVupxCQHuPnswisS4mpzRvQJUGoRobDkGFf6EWzVgT4HkLukq47EPJ Oqi+IyUjFtFn14NXoAuzJpyMMbGfoURGNXgosInYwWRFJH0Jd8LxZQM3hPMvpa77LhebPdi1 rZQsOA75Bk9I4K1VKJ/D3nPz2CduUyalVnwNAPhU1754UxB0BvJcFwAgqlyEJ3NPYCa7oCZJ IX6jWMorJ8Exfe8lPc6ZKWEWYE0MkEezCqb79+uxls8cB9Iz6Uq4Jg7H88NKGEgw5OHb8Ifo q0b6/kxu9fePqpqyWM3dLaCtyN4t4iWduAlpojyoXoMtpSKbAC4FfeIOnYpl --------------040906070105090005040205--