Date: Mon, 30 May 2016 12:58:40 +0800 From: Julian Elischer <julian@freebsd.org> To: Dmitry Selivanov <sd@rlan.ru>, "Andrey V. Elsukov" <ae@FreeBSD.org>, freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: [RFC] ipfw named states support Message-ID: <c010f18f-ae55-7f28-442e-5923d240aa9c@freebsd.org> In-Reply-To: <cf7c98e0-843d-dbec-2f00-836c4ee41f66@rlan.ru> References: <573C803E.5020600@FreeBSD.org> <cf7c98e0-843d-dbec-2f00-836c4ee41f66@rlan.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26/05/2016 6:11 PM, Dmitry Selivanov wrote:
> 18.05.2016 17:46, Andrey V. Elsukov пишет:
>> We have the patch that adds named states support to ipfw.
>> The idea is that we add a symbolic name-label to each dynamic state in
>> addition to IP addresses, protocol and ports.
>> This introduces new syntax for check-state and keep-state rules:
>>
>> check-state { token | default | any }
>> keep-state { token | default }
>
>> 1. Is this feature useful?
> Yes.
>> 2. How to commit it? Due to changed syntax it can break existing
>> rulesets. Probably, we can add some mandatory prefix to state name,
>> e.g.
>> ':'.
> Maybe create new opcode, e.g. "save-state", and deprecate
> "keep-state" with "save-state default".
> I'm sorry I didn't understand what Lev Serebryakov suggests, and I
> could duplicate his suggestion.
I have already hoped for a different version of keep-state, that
saves the state without actually acting upon it.
>
> Maybe there is a sense to add "search-state" option and use it
> instead of "check-state" action. E.g. "allow dst-port 80
> search-state NAME".
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c010f18f-ae55-7f28-442e-5923d240aa9c>