names for limit states?
Hello Ae, Looks like you didn't add names support for states with limits? Why? -- Best regards, Lev mailto:l...@freebsd.org pgpseuX25vqa4.pgp Description: PGP signature
Re: Named states in ipfw (and old rulesets)
On 14.08.16 20:27, Lev Serebryakov wrote: > But looks like, that comment is lost here, here is output of "ipfw show" > after boot: > > 13050 0 0 nat 2 ip from any to any // De-NAT > 13060 0 0 check-state default > 13070 0 0 skipto 3 ip from any to any // Allowed local services > - common block > > So, yes, comment is lost! It looks it never worked due to "goto done" in the code. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: names for limit states?
On 14.08.16 15:04, Lev Serebryakov wrote: > Hello Ae, > > Looks like you didn't add names support for states with limits? Why? For me it looks like I did that. Why would you think differently? :) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Named states in ipfw (and old rulesets)
Hello Lev, Sunday, August 14, 2016, 8:20:16 PM, you wrote: > Line 155: Ambiguous state name '//', 'default' used instead. > : No error: 0 > 0 check-state default Ok, really this one is (no rule number, I'm rely on auto-numbering): add nat 2 // De-NAT add check-state // Make things faster add skipto 3 // Allowed local services - common block But looks like, that comment is lost here, here is output of "ipfw show" after boot: 13050 0 0 nat 2 ip from any to any // De-NAT 13060 0 0 check-state default 13070 0 0 skipto 3 ip from any to any // Allowed local services - common block So, yes, comment is lost! -- Best regards, Levmailto:l...@serebryakov.spb.ru pgps5ue6jHpCR.pgp Description: PGP signature
Re: names for limit states?
Hello Andrey, Sunday, August 14, 2016, 4:29:50 PM, you wrote: >> Looks like you didn't add names support for states with limits? Why? > For me it looks like I did that. Why would you think differently? :) Because I need to read code better, sorry! -- Best regards, Levmailto:l...@freebsd.org pgpj_iLufJnbD.pgp Description: PGP signature
Notice on upcoming ipdbtools 1.1.1
As was noticed by the port maintainer, the initial release of ipdbtools 1.1.0 into the ports did not compile on i386 systems because the lack of the __uint128_t data type on 32bit systems, and which was used for IPv6 computing. In the meantime, I rolled in the necessary uint128 comparison, shift and basic arithmetic operations that provide the missing built-in __uint128_t operations on 32bit systems. The 64bit targets x86-64 and arm64 continue to utilize the built-in operations. The changes are ready on GitHub, and I will submit a changed port PR on Monday (tomorrow) night, most of the post-mortem fixes since the initial release are included -- I won't rename the tool 'ipup', though. Best regards Rolf ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Named states in ipfw
Hello Freebsd-ipfw, I've tried new build of 12-CURRENT (with new ipfw feature of named states), with OLD ruleset and I'm disappointed by user experience. Old ruleset contains a lot "keep-state" and "check-state" statements and all this "Ambiguous state names" noise is, really, noise. It looks ridiculous sometimes: 0 deny ip from any to any src-ip table(bans) // And it should not be banned 13040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface 13050 nat 2 ip from any to any // De-NAT Line 155: Ambiguous state name '//', 'default' used instead. : No error: 0 0 check-state default 13070 skipto 3 ip from any to any // Allowed local services - common block What does this error about "//" means? Previous and next rules doesn't contain state-related tokens. Looks like, errors are out-of-sync from commands, and all this ": No error: 0" -- WTF? Also, all this "default" in "ipfw show" output is just noise, when here are ONLY default state. Now I think that this syntax of named rules is not good enough to work with old rulesets. I think, something like keep-state(name) or keep-state :name could be much better. In first case, all this '(name)' part must be optional, of course. A ton of useless errors (warnings?) in case of "old-style" ruleset looks very ugly, IMHO. -- Best regards, Lev mailto:l...@freebsd.org pgpbFCH30fl9W.pgp Description: PGP signature
Auto-numbered rules with state or table opcodes are printed-out as ""number 00000" on addition
Hello Lev, Sunday, August 14, 2016, 8:27:02 PM, you wrote: When auto-numbering is used, all rules with any keep-state/check-state or table opcodes is printed out as number 0 on addition, like this: add 11000 allowdst-ip MCAST // Allow incoming multicast add deny not dst-ip SKYNET_IP // Before NAT it should be to this specific me! add deny src-ip table(intip4) // And it should be not from strange addresses add deny src-ip table(bans)// And it should not be banned add allowsrc-ip HE_IPV4_TUN proto ipv6 // IPv6 tunneling through this interface add nat SKYNET_NAT // De-NAT add check-state// Make things faster add skipto 3 // Allowed local services - common block add deny // Safeguard 11000 allow ip from any to any dst-ip 224.0.0.0/4 // Allow incoming multicast 11010 deny ip from any to any not dst-ip 94.19.235.70 // Before NAT it should be to this specific me! 0 deny ip from any to any src-ip table(intip4) // And it should be not from strange addresses 0 deny ip from any to any src-ip table(bans) // And it should not be banned 11040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface 11050 nat 1 ip from any to any // De-NAT Line 133: Ambiguous state name '//', 'default' used instead. : No error: 0 0 check-state default 11070 skipto 3 ip from any to any // Allowed local services - common block 11080 deny ip from any to any // Safeguard They, really, got proper numbers, but "ipfw" output looks strange. -- Best regards, Levmailto:l...@freebsd.org pgpt6w7xc2fSE.pgp Description: PGP signature