On 14.06.2019 23:13, Peter wrote: > 2. There are dynamic rules involved. These do not disappear on a > "set disable". They stay and continue to function - somehow. > > 3. When a packet successfully matches a check-state, it does NOT > continue to be processed at the rule following that check-state. > Instead, it does continue to be processed at the place after > the parent keep-state rule that was originally matched! > > But what if that keep-state rule is now disabled, and the new > rules do not line up in their numbering in the exact same way? > Then this packet appears at some arbitrary place in the rule > list and may go to whereever.
Dynamic rules use only "action" part of parent rule, so when dynamic state is "applied" to a packet, it just executes action of parent rule without checking the set to which belongs the rule. But then, if a packet processing is continued, the next rule checked from the beginning, and thus its set is checked. > Obviousely this is not an issue if you do keep-state with simple > Allow or Deny rules - then the packets leave the system after > matching. > But such simple keep-state do not work with NAT. For NAT one needs > a more elaborate approach, like tagging and branching and > subroutine calling. > > So the outcome is: > > When switching sets with such a configuration that introduces > branches and subroutines, the old and new rules need to precisely > line up to each other, so that the old dynamic rules (which should > be kept for the network sessions to persist) can reinsert their > matched packets at places where correct further processing happens. > > Doesn't seem like an easy task... You may try 11.3-BETA where new implementation of dyn_keep_states was committed. When you set net.inet.ip.fw.dyn_keep_states=1, the dynamic states aren't deleted with their parents rules. They are kept until expiring or explicit deletion (with -D flag). But the next rule for states that don't stop packet processing is the last rule. This is probably will not fit your requirements. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature