On 30.05.16 07:56, Julian Elischer wrote: > On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: >> Hi All, >> >> We have the patch that adds named states support to ipfw. > > like it and have wished for this for along time > this allows per-interface state. Can state name be set to a variable we > can set or something? > then we could have subroutines that can be used for multiple interfaces. > (I guess we need variables first)
You are specifying the name when adding rule. E.g. # ipfw add allow tcp from me to any out igb1 keep-state igb1 # ipfw -d show 100 00100 317 36316 allow tcp from me to any out via igb1 keep-state igb1 ## Dynamic rules: 00100 5 317 (246s) STATE tcp A.B.C.144 21131 <-> C.D.E.93 22 igb1 00100 0 0 (1s) STATE tcp A.B.C.144 22 <-> F.G.35.120 30876 igb1 # ipfw -d show 200 300 00200 440 42779 allow ip from table(1) to me in keep-state SOME_NET 00300 119 17416 allow tcp from me to any out keep-state MY_OUTGOUING ## Dynamic rules (3 424): 00300 4 254 (286s) STATE tcp A.B.C.144 41280 <-> X.Y.178.135 22 MY_OUTGOUING 00300 3 244 (1s) STATE tcp A.B.C.144 22 <-> C.D.E.93 26951 MY_OUTGOUING 00200 343 33995 (286s) STATE tcp F.G.35.120 62486 <-> A.B.C.144 22 SOME_NET >> With named states we can create separate states for each interface and >> they will not match when we don't want this. > what does the ipfw -d list output look like? The output is the same, just state name is added to the end of line. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
