On 04/08/16 18:12, Julian Elischer wrote:
On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote:
On 04.08.16 06:42, Julian Elischer wrote:
so it's a combination of #1 and #2 in my list. I think I originally
thought of having just #1.
A combination is less useful for me as you need to do:
20 skipto 400 tcp from table(2) to me setup record-state
21 skipto 400 tcp from table(2) to me setup
to make the entire session do the same thing.
So, in your example what wrong with just using keep-state?
"record-state without immediate action" == "keep-state without implicit
check-state" needed to solve issues with NAT or something similar, that
was described by Lev.
because keep-state is a check-state for ALL packets going past,
regardless of whether they match the pattern.
at least that's what I have observed.
According to the documentation and my experience it is. As a workaround
i use skipto $stateful + record-state. That way each stateful match
continues processing at $stateful. Whilte it works it's hard to
understand when combined with in-kernel NAT, because you end up with
asymmetric paths through the ruleset for incoming and outgoing packets.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
