[RFC] ipfw named states support
Julian Elischer
julian at freebsd.org
Mon May 30 04:58:57 UTC 2016
On 26/05/2016 6:11 PM, Dmitry Selivanov wrote:
> 18.05.2016 17:46, Andrey V. Elsukov пишет:
>> We have the patch that adds named states support to ipfw.
>> The idea is that we add a symbolic name-label to each dynamic state in
>> addition to IP addresses, protocol and ports.
>> This introduces new syntax for check-state and keep-state rules:
>>
>> check-state { token | default | any }
>> keep-state { token | default }
>
>> 1. Is this feature useful?
> Yes.
>> 2. How to commit it? Due to changed syntax it can break existing
>> rulesets. Probably, we can add some mandatory prefix to state name,
>> e.g.
>> ':'.
> Maybe create new opcode, e.g. "save-state", and deprecate
> "keep-state" with "save-state default".
> I'm sorry I didn't understand what Lev Serebryakov suggests, and I
> could duplicate his suggestion.
I have already hoped for a different version of keep-state, that
saves the state without actually acting upon it.
>
> Maybe there is a sense to add "search-state" option and use it
> instead of "check-state" action. E.g. "allow dst-port 80
> search-state NAME".
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
More information about the freebsd-ipfw
mailing list