Hi All, We have the patch that adds named states support to ipfw. The idea is that we add a symbolic name-label to each dynamic state in addition to IP addresses, protocol and ports. This introduces new syntax for check-state and keep-state rules:
check-state { token | default | any }
keep-state { token | default }
The @token can contain symbols from the following mask:
[a-zA-Z0-9\-_\.]{1,63}
How it works
------------
"keep-state NAME" opcode creates state with assigned name NAME. This
state can be matched only by 'keep-state NAME' or 'check-state NAME', or
'check-state any' opcodes. The "default" name used for compatibility
with old rules. It is assigned to states when you omit the name on rule
creating. So,
# ipfw add check-state
# ipfw add allow ip from any to any keep-state
will produce:
check-state default
allow ip from any to any keep-state default
But there is one problem, when your rule has some opcodes after
'keep-state' opcode (e.g. "keep-state in"). Such opcodes can be treated
as state name.
'check-state any' matches states independently from the name.
Why we need this
----------------
This expands flexibility and functionality.
Imagine the situation:
[ LAN1 ] <---> [ FW ] <---> [ LAN2 ]
add skipto 10000 ip from any to any via lan1
add skipto 20000 ip from any to any via lan2
add deny ip from any to any
add 10000 count ip from any to any
...
add allow ip from <lan1 nets here> to any keep-state in
add deny ip from any to any
add 20000 count ip from any to any
...
add allow ip from <lan2 nets here> to any keep-state in
add deny ip from any to any
The problem is that a state created by first keep-state rule will act on
second keep-state rule and allow traffic to go into (out from router's
point of view) lan2 without any rules actually allowing that.
With named states we can create separate states for each interface and
they will not match when we don't want this.
What I want to discuss
----------------------
1. Is this feature useful?
2. How to commit it? Due to changed syntax it can break existing
rulesets. Probably, we can add some mandatory prefix to state name, e.g.
':'.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
