[RFC] ipfw named states support
Andrey V. Elsukov
bu7cher at yandex.ru
Mon May 30 14:33:54 UTC 2016
On 30.05.16 07:56, Julian Elischer wrote:
> On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote:
>> Hi All,
>>
>> We have the patch that adds named states support to ipfw.
>
> like it and have wished for this for along time
> this allows per-interface state. Can state name be set to a variable we
> can set or something?
> then we could have subroutines that can be used for multiple interfaces.
> (I guess we need variables first)
You are specifying the name when adding rule. E.g.
# ipfw add allow tcp from me to any out igb1 keep-state igb1
# ipfw -d show 100
00100 317 36316 allow tcp from me to any out via igb1 keep-state igb1
## Dynamic rules:
00100 5 317 (246s) STATE tcp A.B.C.144 21131 <-> C.D.E.93 22 igb1
00100 0 0 (1s) STATE tcp A.B.C.144 22 <-> F.G.35.120 30876 igb1
# ipfw -d show 200 300
00200 440 42779 allow ip from table(1) to me in keep-state SOME_NET
00300 119 17416 allow tcp from me to any out keep-state MY_OUTGOUING
## Dynamic rules (3 424):
00300 4 254 (286s) STATE tcp A.B.C.144 41280 <-> X.Y.178.135 22
MY_OUTGOUING
00300 3 244 (1s) STATE tcp A.B.C.144 22 <-> C.D.E.93 26951
MY_OUTGOUING
00200 343 33995 (286s) STATE tcp F.G.35.120 62486 <-> A.B.C.144 22
SOME_NET
>> With named states we can create separate states for each interface and
>> they will not match when we don't want this.
> what does the ipfw -d list output look like?
The output is the same, just state name is added to the end of line.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20160530/601cacb5/attachment.sig>
More information about the freebsd-ipfw
mailing list