Date: Sun, 7 Jun 2015 01:01:51 +0800 From: bycn82 <bycn82@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>, Lev Serebryakov <lev@freebsd.org> Subject: Re: Please, review my change to ipfw, I want to commit it :) Message-ID: <CAC%2BJH2zoJ_T39_d0YSJrHSgDB_sGziALJ8ximNrS=qpWAs0suQ@mail.gmail.com> In-Reply-To: <CAC%2BJH2wGrKYxXcdF4kg7ztQXZ-TgcRHvAPrBy1KP3mP97t1eZw@mail.gmail.com> References: <556C6CBB.5010803@FreeBSD.org> <20150602214303.V91076@sola.nimnet.asn.au> <20150606154353.M91076@sola.nimnet.asn.au> <CAC%2BJH2w%2BKwom5vpwfjtQzxh_C_tTY6khWHH9ZYfFAJ3Y=Oj5rQ@mail.gmail.com> <20150606233816.S91076@sola.nimnet.asn.au> <CAC%2BJH2wGrKYxXcdF4kg7ztQXZ-TgcRHvAPrBy1KP3mP97t1eZw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi correct me if i am wrong. below is the rule you listed in your email. add 1000 skipto 2000 all from any to any out xmit outIface add 1010 skipto 3000 all from any to any in recv outIface add 2000 skipto 2010 from any to any keep-state add 2010 nat NR from any to any out // Note this "out" in out section! add 2020 allow all from any to any add 3000 nat NR from any to any add 3010 check-state // Use dynamic rule based on 2000 so for the our going traffic, it will hit below rules 1000 skipto 2000 skipto and keep-state 2010 nat return traffic will 1010 skipto 3000 nat so i dont see any traffic to check-state and i did not follow up the ipfw in FB for a while, but below is the rules i test in my dfly environment. ipfw3 nat 1 config if em0 ipfw3 add 1 check-state ipfw3 add 2 nat 1 icmp via em0 keep-state ipfw3 add 3 allow icmp via em1 So actually i still did not get the point :( i still dont understand what is "skipto-nat-allow" On 6 June 2015 at 23:41, bycn82 <bycn82@gmail.com> wrote: > Hi, > > i saw my previous email in this thread,but i think i replied that > without fully read all the emails. > > i like the state-deny and allow, > > actually i tried this, in my opinion, the state is a "shortcut" or > "soft link" which links to another rule > when the packet match the state. it will directly skip-to the rule. > and the destination rule can be allow or deny or others. > > > > Regards, > Bill Yuan > > On 6 June 2015 at 21:48, Ian Smith <smithi@nimnet.asn.au> wrote: >> On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote: >> >> > *Hello,* >> > *Can you please explain what is going one again,* >> > *Sorry I did not follow the emails, I am not checking the FB email for a >> > while, * >> > *I think I missed some emails.* >> > *e.g * >> > *what is the purpose of the "*skip-immediate-action" >> > *Regards,* >> > *Bycn82* >> >> Hi Bill, >> >> please send plain text mail rather than HTML to the lists, thanks. >> >> Probably best to start at the several threads from February - some of >> which you did participate in - from: >> >> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-February/thread.html >> >> and then this thread from here on 1st June: >> >> http://lists.freebsd.org/pipermail/freebsd-ipfw/2015-June/005872.html >> >> which points to the review at: >> >> https://reviews.freebsd.org/D1776 >> >> cheers, Ian >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2zoJ_T39_d0YSJrHSgDB_sGziALJ8ximNrS=qpWAs0suQ>