Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-13 Thread Julian Elischer 

On 7/06/2016 4:00 PM, Andrey V. Elsukov wrote:

On 07.06.16 09:31, wishmaster wrote:

With the following patch you will be able create two different states, I
think, and solve your task with NAT and dynamic rules:
https://reviews.freebsd.org/D6674

Will there be the patch in the 11-RELEASE?

Hi,

there are three patches for ipfw, that I want to commit:
https://reviews.freebsd.org/D6420
https://reviews.freebsd.org/D6434
https://reviews.freebsd.org/D6674

But we are in code slush and there aren't any positive review yet. So, I
guess they will be committed only after 11.0 would be branched.


6674 would be good to have.. I;ve given it a +1


The feature I want from Lev's change is the ability to store a state 
entry without the implicit check-state.



___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-13 Thread Julian Elischer 

On 7/06/2016 10:31 PM, Ian Smith wrote:

On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
  > On 06.06.16 22:41, Lev Serebryakov wrote:
  > >
  > >  I still hope to see https://reviews.freebsd.org/D1776 committed before
  > > 11-RELEASE.
  > >
  > >  It seems to me, that I does everything what was requested by reviewers.
  >
  > Hi Lev,
  >
  > looking at provided description and examples, seems the main task you
  > want to solve is problem with NAT. But from my point of view, you are
  > trying to solve it in a easy way wrongly using existing methods.
  >
  > As you described in patch to ipfw(8) "Problem is, you need to create
  > dynamic rule before NAT and check it after NAT actions (or vice versa)
  > to have consistent addresses and ports."
  >
  > In terms of ipfw(4) a state is represented by ipfw_flow_id structure.
  > To solve your task you just needs two states - one for not translated
  > flow and second - for translated. Due to limits of implementation this
  > looks impossible to solve. But proposed patch with deferred action looks
  > too hackish to me.
  >
  > With the following patch you will be able create two different states, I
  > think, and solve your task with NAT and dynamic rules:
  >   https://reviews.freebsd.org/D6674

If your patch does what Lev wanted to achieve with (I thought too many)
new dynamic rule actions, then I think your simpler solution is better,
not least because it's far easier to understand for non-Julians :)


actually I want only  subset..
what I want is a "set-state"  that is the same as keep-state, but does 
not have
the implicit check-state before it. (if it has a collision with an 
existing rule it overrides it)

I also want he named state tables.   :-)



Looking from a useability and documentation perspective only - I won't
even be looking at this code - I have a few thoughts:

Thus far, keep-state and limit seem to be interchangeable options; limit
rules will need to work the same with respect to named dynamic flows; do
I assume that you've just started with only keep-state for testing?

I think flow names should be specified as an _optional_ parameter, thus:

 check-state [name]

 keep-state [name]

 limit {src-addr | src-port | dst-addr | dst-port} N [name]

where name (maybe flowname, for easier comprehension by man readers?) is
optional, assigned as 'default' whenever omitted - as well as being for
backwards ruleset compatibility, which then only needs mentioning once,
and maybe also put another way in the STATEFUL FIREWALL section.


I think flowname  is a bad name..  it's a state table name.



So a few of the existing example rules with no name could stand, while
others (see below) append names of OUTBOUND and INBOUND or whatever.

As is, you have

740 .It Cm check-state Op Ar name | Cm any | Cm default

which in other contexts would mean you have to supply one of 'name' or
'any' or 'default' when you don't have to provide one, 'default' being
assigned otherwise.  Otherwise I think this is fairly well described.

Will 'ipfw -[e]d list|show' show the flow names? or the indices?

As I pestered Lev about last year, we still need a small example ruleset
section that actually deals with potentially problematic stateful issues
with NAT - which I still don't fully understand - beyond descriptions in
the abstract case; ie an actual working dual- or multi-flow example.

I know these are "just doc" issues of little importance while testing
working code, and I haven't supplied any patches, so are just FWIW ..

cheers, Ian



___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-13 Thread Julian Elischer 

On 10/06/2016 5:11 AM, Lev Serebryakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 07.06.2016 00:53, Andrey V. Elsukov wrote:


looking at provided description and examples, seems the main task
you want to solve is problem with NAT. But from my point of view,
you are trying to solve it in a easy way wrongly using existing
methods.

   It is was initial driver for this patch, yes, but, please, read
subject (? is mistype, of course, it is closing ").

   Current set of primitives, dealing with state, is terribly wrong,
IMHO. "keep-state" which trigger (any!) state check alone is awuful,
and complete "keep-state / check-state" pair is ugly hack. It is like
CISC vs RISC, actually.

   New primitives are ORTHOGONAL. Each one solves one and only one
well-defined task, state creation, state checking and command
execution are well-separated. IMHO, "keep-state" in it current form
should be killed with fire. Yes, I understand about backward
compatibility and POLA, so I don't propose to really remove it, but,
IMHO, new set is much, much better.

In writing complicated automatically generated firewalls,
I've wanted the following capacities:
1/ one state table for one part of the flow and another  for a 
different part...  e.g. a different table for "inside" nat to 
"outside" nat..
also a different table for the inside interface to the outside 
interface..  just because you allow a flow at one interface doesn't 
mean you want it to be allowed through a different one.
2/ The ability to  specifically add a flow's state rule to a table, 
without EVERY OTHER FLOW hitting a 'check-state' at that point.  If I 
select s particular flow , then I do not want other flows affected. 
just that flow should be affected.
3/ the ability to select a completley different firewall for a 
differnent interface.. this can be simulated at the moment. but it'd 
be nice to be able to specify a entry pont into the table or a 
separate table per interface..   ipfw interface xn0 in enter 5000 or 
something.

or maybe ipfw interface firewall 3
4/ the ability to have variables and set and test them. We ALMOST have 
that with tags .

 i] variables would hav eone of several scopes:
  a) a single transit..  you might set some flag at rule 40 and 
branch on it at rule 4000, but a separate packet would ahv ea 
different instance.
  b) per flow..  assigned at creation of the dynamic  rule and 
avaliable at any time after a packet has been associated with that flow.

  c) global
 ii] branching on values is possible.
there are others I've wanted (and forgotten) but that's the wish-list 
I have at the moment.







As you described in patch to ipfw(8) "Problem is, you need to
create dynamic rule before NAT and check it after NAT actions (or
vice versa) to have consistent addresses and ports."

   It is only very rudimentary example to show the point of new
primitives. All meaningful examples require big and complex rulesets,
really.


In terms of ipfw(4) a state is represented by ipfw_flow_id
structure. To solve your task you just needs two states - one for
not translated flow and second - for translated.

   For what?! Logically it is one flow. NAT is kludge itself, of
course, but, IMHO, logically it doesn't create new flow, or
connection, whatever your name it. It hacks existing one.


Due to limits of implementation this looks impossible to solve. But
proposed patch with deferred action looks too hackish to me.

   IMHO, it untangles current very sad situation.


With the following patch you will be able create two different
states, I think, and solve your task with NAT and dynamic rules:
https://reviews.freebsd.org/D6674

  Named states are great and very useful by themselves, but how this
solve problem, that "keep-state" implies "check-state" rule, for example
?

  I seen a thousand posts, messages and how-tos about stateful IPFW and
all of them suffer from this "keep-state is check-state" problem,
really, when you try to structure your firewall in "ingress / egress"
per-interface sections and not one small ruleset for one interface.

- -- 
// Lev Serebryakov AKA Black Lion

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJXWdt4XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePQ+kP/jTUZQ/W2srUhiRCkTzDsGpy
dbODp6utMjQGwtZKgPRVN4+0KuchgJInA6odB/34WKfgW5THpevLkh5do8QGvm+5
/8DcYZOYwCk45TRkjhctBH6u2t0v3TPvjd1pPkknmhd3qE9Zzkk2fi+0iUWBavMH
LvLJ+afUlmw8l95Om8g4Per3C7TEWmxXews3k+vg1xgrTtPn6m1Vcwspp7gHe2Zo
OIGTzDl0S95SUofQuQX3vD7gPqm6YTnRVhtHrb36saVpP2HCv6e+7vOkyfiTV4nd
Mchu3T6e9zJ2cmWBRIE9d/wB18LRVjWE+pvosTf6EEIkRJnUUnCZF19EJj8BS+9X
7+zbPnVeUSo17YdxSTcDXL0cBuzRIsz50V2Q6bFgl313PB9u97a4FeLdNmqEZfnN
jEgeonc8loN6Fw/Mgjdn2wjmAhZaWU+zCpozzDPcjevkl9NIVVkMys4iZUUCdRkG
yGQtU18X3hHwrbM4uJs7K9JLJj1HHEgpT9mnZ3qxCQ1YKEWZ0plgPvXoFWOiYYIB
Ecz19D/kLBad3gVZ0X9NZwqA2XM23UmfMiKqd0ZcoOPiMY1WY35PQWOocOhiCIW4
mhcEwp9ZR2mV7OZEO1ObLiK1Jo/q0xNn