This diff adds new options (pseudo-actions) to ipfw:
- skip-immediate-action (aliased as skip-action)
These actions allows de-couple three side-effects of matched rule:
- Action itself when rule is matched in standard top-to-down rule search.
- Creation of dynamic state or limit state.
- Checking of existing states and/or limits.
Now these side-effects are tightly coupled and only possible combinations are only:
- Checking of existing state (before conditions), state creation, immediate action (keep-state and limit options).
- Checking of existing state (check-state rule).
With new options it is possible:
- Rules, which create state but not check state implicitly.
- Rules, which create state, but don't run action till dynamic rule is matched.
- Rules, which check and create state, but don't run action till dynamic rule is matched.
- Rules, which does nothing (but ipfw(8) will warn about these).
With this fine control of side-effects it is possible to write complex rulesets (like mixing NAT with statefulness and/or connection limits) more clearly.
This patch add one new opcode to kernel ipfw2 engine (O_SKIP_ACTION), change logic of ipfw(8) to allow it skip emission of O_STATE_PROBE opcode and adds dynamic state update to codepath which try to install new dynamic rule.