[RFC] ipfw named states support
Hi All,
We have the patch that adds named states support to ipfw.
The idea is that we add a symbolic name-label to each dynamic state in
addition to IP addresses, protocol and ports.
This introduces new syntax for check-state and keep-state rules:
check-state { token | default | any }
keep-state { token | default }
The @token can contain symbols from the following mask:
[a-zA-Z0-9\-_\.]{1,63}
How it works
"keep-state NAME" opcode creates state with assigned name NAME. This
state can be matched only by 'keep-state NAME' or 'check-state NAME', or
'check-state any' opcodes. The "default" name used for compatibility
with old rules. It is assigned to states when you omit the name on rule
creating. So,
# ipfw add check-state
# ipfw add allow ip from any to any keep-state
will produce:
check-state default
allow ip from any to any keep-state default
But there is one problem, when your rule has some opcodes after
'keep-state' opcode (e.g. "keep-state in"). Such opcodes can be treated
as state name.
'check-state any' matches states independently from the name.
Why we need this
This expands flexibility and functionality.
Imagine the situation:
[ LAN1 ] <---> [ FW ] <---> [ LAN2 ]
add skipto 1 ip from any to any via lan1
add skipto 2 ip from any to any via lan2
add deny ip from any to any
add 1 count ip from any to any
...
add allow ip from to any keep-state in
add deny ip from any to any
add 2 count ip from any to any
...
add allow ip from to any keep-state in
add deny ip from any to any
The problem is that a state created by first keep-state rule will act on
second keep-state rule and allow traffic to go into (out from router's
point of view) lan2 without any rules actually allowing that.
With named states we can create separate states for each interface and
they will not match when we don't want this.
What I want to discuss
--
1. Is this feature useful?
2. How to commit it? Due to changed syntax it can break existing
rulesets. Probably, we can add some mandatory prefix to state name, e.g.
':'.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Re: [RFC] ipfw named states support
On 18.05.2016 17:46, Andrey V. Elsukov wrote: > 1. Is this feature useful? IMHO, yes. > 2. How to commit it? Due to changed syntax it can break existing > rulesets. Probably, we can add some mandatory prefix to state name, e.g. > ':'. How about simply disable names which are keywords? Like variable names in conventional programming language. -- // Lev Serebryakov signature.asc Description: OpenPGP digital signature
Re: [RFC] ipfw named states support
18.05.2016 17:46, Andrey V. Elsukov пишет:
We have the patch that adds named states support to ipfw.
The idea is that we add a symbolic name-label to each dynamic state in
addition to IP addresses, protocol and ports.
This introduces new syntax for check-state and keep-state rules:
check-state { token | default | any }
keep-state { token | default }
1. Is this feature useful?
Yes.
2. How to commit it? Due to changed syntax it can break existing
rulesets. Probably, we can add some mandatory prefix to state name, e.g.
':'.
Maybe create new opcode, e.g. "save-state", and deprecate "keep-state" with
"save-state default".
I'm sorry I didn't understand what Lev Serebryakov suggests, and I could
duplicate his suggestion.
Maybe there is a sense to add "search-state" option and use it instead of "check-state"
action. E.g. "allow dst-port 80 search-state NAME".
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [RFC] ipfw named states support
On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: Hi All, We have the patch that adds named states support to ipfw. like it and have wished for this for along time this allows per-interface state. Can state name be set to a variable we can set or something? then we could have subroutines that can be used for multiple interfaces. (I guess we need variables first) This expands flexibility and functionality. Imagine the situation: [ LAN1 ] <---> [ FW ] <---> [ LAN2 ] add skipto 1 ip from any to any via lan1 add skipto 2 ip from any to any via lan2 add deny ip from any to any add 1 count ip from any to any ... add allow ip from to any keep-state in add deny ip from any to any add 2 count ip from any to any ... add allow ip from to any keep-state in add deny ip from any to any The problem is that a state created by first keep-state rule will act on second keep-state rule and allow traffic to go into (out from router's point of view) lan2 without any rules actually allowing that. With named states we can create separate states for each interface and they will not match when we don't want this. what does the ipfw -d list output look like? What I want to discuss -- 1. Is this feature useful? 2. How to commit it? Due to changed syntax it can break existing rulesets. Probably, we can add some mandatory prefix to state name, e.g. ':'. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [RFC] ipfw named states support
On 26/05/2016 6:11 PM, Dmitry Selivanov wrote:
18.05.2016 17:46, Andrey V. Elsukov пишет:
We have the patch that adds named states support to ipfw.
The idea is that we add a symbolic name-label to each dynamic state in
addition to IP addresses, protocol and ports.
This introduces new syntax for check-state and keep-state rules:
check-state { token | default | any }
keep-state { token | default }
1. Is this feature useful?
Yes.
2. How to commit it? Due to changed syntax it can break existing
rulesets. Probably, we can add some mandatory prefix to state name,
e.g.
':'.
Maybe create new opcode, e.g. "save-state", and deprecate
"keep-state" with "save-state default".
I'm sorry I didn't understand what Lev Serebryakov suggests, and I
could duplicate his suggestion.
I have already hoped for a different version of keep-state, that
saves the state without actually acting upon it.
Maybe there is a sense to add "search-state" option and use it
instead of "check-state" action. E.g. "allow dst-port 80
search-state NAME".
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: [RFC] ipfw named states support
On 30.05.16 07:56, Julian Elischer wrote: > On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: >> Hi All, >> >> We have the patch that adds named states support to ipfw. > > like it and have wished for this for along time > this allows per-interface state. Can state name be set to a variable we > can set or something? > then we could have subroutines that can be used for multiple interfaces. > (I guess we need variables first) You are specifying the name when adding rule. E.g. # ipfw add allow tcp from me to any out igb1 keep-state igb1 # ipfw -d show 100 00100 317 36316 allow tcp from me to any out via igb1 keep-state igb1 ## Dynamic rules: 00100 5 317 (246s) STATE tcp A.B.C.144 21131 <-> C.D.E.93 22 igb1 00100 0 0 (1s) STATE tcp A.B.C.144 22 <-> F.G.35.120 30876 igb1 # ipfw -d show 200 300 00200 440 42779 allow ip from table(1) to me in keep-state SOME_NET 00300 119 17416 allow tcp from me to any out keep-state MY_OUTGOUING ## Dynamic rules (3 424): 003004254 (286s) STATE tcp A.B.C.144 41280 <-> X.Y.178.135 22 MY_OUTGOUING 003003244 (1s) STATE tcp A.B.C.144 22 <-> C.D.E.93 26951 MY_OUTGOUING 00200 343 33995 (286s) STATE tcp F.G.35.120 62486 <-> A.B.C.144 22 SOME_NET >> With named states we can create separate states for each interface and >> they will not match when we don't want this. > what does the ipfw -d list output look like? The output is the same, just state name is added to the end of line. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
