IPFW: more "orthogonal? state operations, push into 11?
Julian Elischer
julian at freebsd.org
Mon Jun 13 14:59:33 UTC 2016
On 7/06/2016 10:31 PM, Ian Smith wrote:
> On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
> > On 06.06.16 22:41, Lev Serebryakov wrote:
> > >
> > > I still hope to see https://reviews.freebsd.org/D1776 committed before
> > > 11-RELEASE.
> > >
> > > It seems to me, that I does everything what was requested by reviewers.
> >
> > Hi Lev,
> >
> > looking at provided description and examples, seems the main task you
> > want to solve is problem with NAT. But from my point of view, you are
> > trying to solve it in a easy way wrongly using existing methods.
> >
> > As you described in patch to ipfw(8) "Problem is, you need to create
> > dynamic rule before NAT and check it after NAT actions (or vice versa)
> > to have consistent addresses and ports."
> >
> > In terms of ipfw(4) a state is represented by ipfw_flow_id structure.
> > To solve your task you just needs two states - one for not translated
> > flow and second - for translated. Due to limits of implementation this
> > looks impossible to solve. But proposed patch with deferred action looks
> > too hackish to me.
> >
> > With the following patch you will be able create two different states, I
> > think, and solve your task with NAT and dynamic rules:
> > https://reviews.freebsd.org/D6674
>
> If your patch does what Lev wanted to achieve with (I thought too many)
> new dynamic rule actions, then I think your simpler solution is better,
> not least because it's far easier to understand for non-Julians :)
actually I want only subset..
what I want is a "set-state" that is the same as keep-state, but does
not have
the implicit check-state before it. (if it has a collision with an
existing rule it overrides it)
I also want he named state tables. :-)
>
> Looking from a useability and documentation perspective only - I won't
> even be looking at this code - I have a few thoughts:
>
> Thus far, keep-state and limit seem to be interchangeable options; limit
> rules will need to work the same with respect to named dynamic flows; do
> I assume that you've just started with only keep-state for testing?
>
> I think flow names should be specified as an _optional_ parameter, thus:
>
> check-state [name]
>
> keep-state [name]
>
> limit {src-addr | src-port | dst-addr | dst-port} N [name]
>
> where name (maybe flowname, for easier comprehension by man readers?) is
> optional, assigned as 'default' whenever omitted - as well as being for
> backwards ruleset compatibility, which then only needs mentioning once,
> and maybe also put another way in the STATEFUL FIREWALL section.
I think flowname is a bad name.. it's a state table name.
>
> So a few of the existing example rules with no name could stand, while
> others (see below) append names of OUTBOUND and INBOUND or whatever.
>
> As is, you have
>
> 740 .It Cm check-state Op Ar name | Cm any | Cm default
>
> which in other contexts would mean you have to supply one of 'name' or
> 'any' or 'default' when you don't have to provide one, 'default' being
> assigned otherwise. Otherwise I think this is fairly well described.
>
> Will 'ipfw -[e]d list|show' show the flow names? or the indices?
>
> As I pestered Lev about last year, we still need a small example ruleset
> section that actually deals with potentially problematic stateful issues
> with NAT - which I still don't fully understand - beyond descriptions in
> the abstract case; ie an actual working dual- or multi-flow example.
>
> I know these are "just doc" issues of little importance while testing
> working code, and I haven't supplied any patches, so are just FWIW ..
>
> cheers, Ian
>
More information about the freebsd-ipfw
mailing list