Please, review my change to ipfw, I want to commit it :)
Ian Smith
smithi at nimnet.asn.au
Tue Jun 2 13:03:57 UTC 2015
On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote:
> https://reviews.freebsd.org/D1776
>
> It was discussed in this list some time ago, but looks like
> everything stuck.
>
> Any comments/objections?
>
> This patch works on my router since first patch version without
> problems and allows me to greatly simplify my firewall.
I just glanced over the code for rough gist, looking for intent rather
than correctness - which I would miss. I also reviewed your earlier
posts about this, and think I'm almost starting to get it ..
First, it seems this code won't hurt anyone who doesn't know about it :)
and so could probably be MFC'd before too long without likely damage.
Second, thanks Julian for language patches, it's helped me follow it.
It would be nice if skip-immediate-action could be shortened, especially
where printed by ip_fw2.c .. skip-action may be enough? defer-action?
But mainly, I think this needs some practical, not too complex examples
that clearly show just how these can work with various flows, perhaps a
section for ipfw(8) EXAMPLES?
E.g, some rule sections dealing with NAT states vs IPFW dynamic states
that show how to deal with the very issues and twisty constructs needed
without these, that you pointed out earlier, could be really helpful.
cheers, Ian
More information about the freebsd-ipfw
mailing list