[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-ipfw
Subject: Named states in ipfw
From: Lev Serebryakov <lev () FreeBSD ! org>
Date: 2016-08-14 17:20:16
Message-ID: 1812167147.20160814202008 () serebryakov ! spb ! ru
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hello Freebsd-ipfw,
I've tried new build of 12-CURRENT (with new ipfw feature of named states),
with OLD ruleset and I'm disappointed by user experience.
Old ruleset contains a lot "keep-state" and "check-state" statements and
all this "Ambiguous state names" noise is, really, noise. It looks
ridiculous sometimes:
00000 deny ip from any to any src-ip table(bans) // And it should not be banned
13040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface
13050 nat 2 ip from any to any // De-NAT
Line 155: Ambiguous state name '//', 'default' used instead.
: No error: 0
00000 check-state default
13070 skipto 30000 ip from any to any // Allowed local services - common block
What does this error about "//" means? Previous and next rules doesn't
contain state-related tokens. Looks like, errors are out-of-sync from
commands, and all this ": No error: 0" -- WTF? Also, all this "default" in
"ipfw show" output is just noise, when here are ONLY default state.
Now I think that this syntax of named rules is not good enough to work with
old rulesets. I think, something like
keep-state(name)
or
keep-state :name
could be much better. In first case, all this '(name)' part must be
optional, of course.
A ton of useless errors (warnings?) in case of "old-style" ruleset looks
very ugly, IMHO.
--
Best regards,
Lev mailto:lev@FreeBSD.org
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic