[RFC] ipfw named states support
Julian Elischer
julian at freebsd.org
Mon May 30 04:56:54 UTC 2016
On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote:
> Hi All,
>
> We have the patch that adds named states support to ipfw.
like it and have wished for this for along time
this allows per-interface state. Can state name be set to a variable
we can set or something?
then we could have subroutines that can be used for multiple interfaces.
(I guess we need variables first)
> This expands flexibility and functionality.
> Imagine the situation:
>
> [ LAN1 ] <---> [ FW ] <---> [ LAN2 ]
>
> add skipto 10000 ip from any to any via lan1
> add skipto 20000 ip from any to any via lan2
> add deny ip from any to any
> add 10000 count ip from any to any
> ...
> add allow ip from <lan1 nets here> to any keep-state in
> add deny ip from any to any
> add 20000 count ip from any to any
> ...
> add allow ip from <lan2 nets here> to any keep-state in
> add deny ip from any to any
>
> The problem is that a state created by first keep-state rule will act on
> second keep-state rule and allow traffic to go into (out from router's
> point of view) lan2 without any rules actually allowing that.
>
> With named states we can create separate states for each interface and
> they will not match when we don't want this.
what does the ipfw -d list output look like?
> What I want to discuss
> ----------------------
>
> 1. Is this feature useful?
> 2. How to commit it? Due to changed syntax it can break existing
> rulesets. Probably, we can add some mandatory prefix to state name, e.g.
> ':'.
>
More information about the freebsd-ipfw
mailing list