From 9309dfe2fc5f2db5a50d902ab86481912535cdb8 Mon Sep 17 00:00:00 2001 From: Ivan Morozko Date: Thu, 4 Jul 2024 14:37:15 +0300 Subject: [PATCH] Change keep-state with record-state in whole project In YANET the keep-state directive only stores the state of packets, similar to ipfw's record-state, and does not include an implicit check-state for all packets like in ipfw. So we rename keep-state to record-state to accurately reflect its function. Closes #166 --- .../036_firewall_keepstate/firewall.txt | 4 ++-- .../firewall.txt | 4 ++-- .../firewall.txt | 4 ++-- .../firewall.txt | 6 ++--- .../045_firewall_out/firewall.txt | 2 +- .../050_firewall_state_resend/firewall.txt | 4 ++-- .../firewall.txt | 4 ++-- .../052_firewall_samples/firewall.txt | 4 ++-- .../059_firewall_tablearg/firewall.conf.txt | 2 +- cli/acl.h | 12 +++++----- cli/main.cpp | 2 +- common/icp.h | 2 +- common/type.h | 2 +- controlplane/acl.cpp | 18 +++++++-------- controlplane/acl.h | 2 +- controlplane/acl/rule.h | 22 +++++++++---------- controlplane/controlplane.cpp | 4 ++-- controlplane/unittest/parser.cpp | 6 ++--- dataplane/action_dispatcher.h | 4 ++-- dataplane/worker.cpp | 2 +- dataplane/worker.h | 2 +- libfwparser/fw_config.cpp | 4 ++-- libfwparser/fw_config.h | 4 ++-- libfwparser/fw_parser.y | 12 +++++----- libfwparser/token.l | 2 +- parser/fw_dump.cpp | 2 +- 26 files changed, 68 insertions(+), 68 deletions(-) diff --git a/autotest/units/001_one_port/036_firewall_keepstate/firewall.txt b/autotest/units/001_one_port/036_firewall_keepstate/firewall.txt index 962d19ad..4edb59a8 100644 --- a/autotest/units/001_one_port/036_firewall_keepstate/firewall.txt +++ b/autotest/units/001_one_port/036_firewall_keepstate/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow udp from 11.0.0.0/24 to any 53 keep-state -add allow udp from any to 2a03:6b8:ff1c:2030::/60 53 keep-state +add allow udp from 11.0.0.0/24 to any 53 record-state +add allow udp from any to 2a03:6b8:ff1c:2030::/60 53 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/037_firewall_keepstate_with_sync/firewall.txt b/autotest/units/001_one_port/037_firewall_keepstate_with_sync/firewall.txt index ee07999d..5dbd6b61 100644 --- a/autotest/units/001_one_port/037_firewall_keepstate_with_sync/firewall.txt +++ b/autotest/units/001_one_port/037_firewall_keepstate_with_sync/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow udp from 10.0.0.0/24 to any 53 keep-state -add allow udp from any to 2121:bbb8:ff1c:2030::/60 53 keep-state +add allow udp from 10.0.0.0/24 to any 53 record-state +add allow udp from any to 2121:bbb8:ff1c:2030::/60 53 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/039_firewall_keepstate_with_sync_tcp/firewall.txt b/autotest/units/001_one_port/039_firewall_keepstate_with_sync_tcp/firewall.txt index 187351ce..72fbefd3 100644 --- a/autotest/units/001_one_port/039_firewall_keepstate_with_sync_tcp/firewall.txt +++ b/autotest/units/001_one_port/039_firewall_keepstate_with_sync_tcp/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow tcp from 12.0.0.0/24 to any 12345 keep-state -add allow tcp from any to 2a22:6b8:ff1c:2030::/60 12345 keep-state +add allow tcp from 12.0.0.0/24 to any 12345 record-state +add allow tcp from any to 2a22:6b8:ff1c:2030::/60 12345 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/040_firewall_keepstate_with_sync_mixed/firewall.txt b/autotest/units/001_one_port/040_firewall_keepstate_with_sync_mixed/firewall.txt index be26b2d9..6bfd1867 100644 --- a/autotest/units/001_one_port/040_firewall_keepstate_with_sync_mixed/firewall.txt +++ b/autotest/units/001_one_port/040_firewall_keepstate_with_sync_mixed/firewall.txt @@ -3,7 +3,7 @@ add skipto :IN ip from any to any in :IN add check-state -add allow ip from 13.0.0.0/24 to any keep-state -add allow ip from any to 2332:898:ff1c:2030::/64 keep-state -add allow tcp from 2332:898:ffee:0:0:5678::/ffff:ffff:ffff:0000:ffff:ffff:: to 2332:898:ffee:0:0:5678::/ffff:ffff:ffff:0000:ffff:ffff:: 10053 keep-state +add allow ip from 13.0.0.0/24 to any record-state +add allow ip from any to 2332:898:ff1c:2030::/64 record-state +add allow tcp from 2332:898:ffee:0:0:5678::/ffff:ffff:ffff:0000:ffff:ffff:: to 2332:898:ffee:0:0:5678::/ffff:ffff:ffff:0000:ffff:ffff:: 10053 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/045_firewall_out/firewall.txt b/autotest/units/001_one_port/045_firewall_out/firewall.txt index 39d1f64b..2f4949f6 100644 --- a/autotest/units/001_one_port/045_firewall_out/firewall.txt +++ b/autotest/units/001_one_port/045_firewall_out/firewall.txt @@ -38,7 +38,7 @@ add deny ip from any to any :SKP2 add allow tcp from f805@2222:898:c00::/40 to { 2222:898:bf00:400::1 } 443 -add allow tcp from f805@2222:898:c00::/40 to { 2222:898:bf00:400::2 } 443 keep-state +add allow tcp from f805@2222:898:c00::/40 to { 2222:898:bf00:400::2 } 443 record-state add allow ip from any to any frag add deny tcp from any to any tcpflags rst diff --git a/autotest/units/001_one_port/050_firewall_state_resend/firewall.txt b/autotest/units/001_one_port/050_firewall_state_resend/firewall.txt index 146a23f4..ca489933 100644 --- a/autotest/units/001_one_port/050_firewall_state_resend/firewall.txt +++ b/autotest/units/001_one_port/050_firewall_state_resend/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow udp from 10.0.0.0/24 to any 53 keep-state -add allow udp from any to 2020:ddd:ff1c:2030::/60 53 keep-state +add allow udp from 10.0.0.0/24 to any 53 record-state +add allow udp from any to 2020:ddd:ff1c:2030::/60 53 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/firewall.txt b/autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/firewall.txt index 7a7f402d..387fbf00 100644 --- a/autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/firewall.txt +++ b/autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow tcp from 12.0.0.0/24 to any 12345 keep-state -add allow tcp from any to 2220:ddd:ff1c:2030::/60 12345 keep-state +add allow tcp from 12.0.0.0/24 to any 12345 record-state +add allow tcp from any to 2220:ddd:ff1c:2030::/60 12345 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/052_firewall_samples/firewall.txt b/autotest/units/001_one_port/052_firewall_samples/firewall.txt index 616a343c..d8867865 100644 --- a/autotest/units/001_one_port/052_firewall_samples/firewall.txt +++ b/autotest/units/001_one_port/052_firewall_samples/firewall.txt @@ -3,6 +3,6 @@ add skipto :IN ip from any to any in :IN add check-state -add allow tcp from 11.0.0.0/24 to any 53 keep-state -add allow tcp from any to 2111:aaa:ff1c:2030::/60 53 keep-state +add allow tcp from 11.0.0.0/24 to any 53 record-state +add allow tcp from any to 2111:aaa:ff1c:2030::/60 53 record-state add deny ip from any to any diff --git a/autotest/units/001_one_port/059_firewall_tablearg/firewall.conf.txt b/autotest/units/001_one_port/059_firewall_tablearg/firewall.conf.txt index e8c2346d..66f4d26d 100644 --- a/autotest/units/001_one_port/059_firewall_tablearg/firewall.conf.txt +++ b/autotest/units/001_one_port/059_firewall_tablearg/firewall.conf.txt @@ -35,5 +35,5 @@ add deny log logamount 500 all from any to any :TUN64_SKP5 add deny tcp from any to any setup add allow udp from any src-port 53 to any dst-port 1025-65535 -add allow ip from any to any keep-state in +add allow ip from any to any record-state in add deny log logamount 500 all from any to any diff --git a/cli/acl.h b/cli/acl.h index 719b098d..7579300f 100644 --- a/cli/acl.h +++ b/cli/acl.h @@ -25,7 +25,7 @@ void unwind(const std::string& in_module, std::optional transport_source, std::optional transport_destination, std::optional transport_flags, - std::optional keepstate) + std::optional recordstate) { std::optional module = in_module; @@ -38,7 +38,7 @@ void unwind(const std::string& in_module, optional_helper(transport_source); optional_helper(transport_destination); optional_helper(transport_flags); - optional_helper(keepstate); + optional_helper(recordstate); interface::controlPlane controlplane; auto response = controlplane.acl_unwind({module, @@ -50,7 +50,7 @@ void unwind(const std::string& in_module, transport_source, transport_destination, transport_flags, - keepstate}); + recordstate}); table_t table({.optional_null = "any"}); table.insert("module", @@ -62,12 +62,12 @@ void unwind(const std::string& in_module, "transport_source", "transport_destination", "transport_flags", - "keepstate", + "recordstate", "next_module", "ids", "log"); - for (const auto& [module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, keepstate, next_module, ids, log] : response) + for (const auto& [module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, recordstate, next_module, ids, log] : response) { table.insert(module, direction, @@ -78,7 +78,7 @@ void unwind(const std::string& in_module, transport_source, transport_destination, transport_flags, - keepstate, + recordstate, next_module, ids, log); diff --git a/cli/main.cpp b/cli/main.cpp index 414c2f1d..4b5a2718 100644 --- a/cli/main.cpp +++ b/cli/main.cpp @@ -39,7 +39,7 @@ std::vector ", [](const auto& args) { call(acl::unwind, args); }}, + {"acl unwind", "[module] ", [](const auto& args) { call(acl::unwind, args); }}, {"acl lookup", " ", [](const auto& args) { call(acl::lookup, args); }}, {"decap", "", [](const auto& args) { call(show::decap::summary, args); }}, {"decap announce", "", [](const auto& args) { call(show::decap::announce, args); }}, diff --git a/common/icp.h b/common/icp.h index 3b2b7810..73d80f67 100644 --- a/common/icp.h +++ b/common/icp.h @@ -724,7 +724,7 @@ using request = std::tuple, ///< module std::optional, ///< transport_source std::optional, ///< transport_destination std::optional, ///< transport_flags - std::optional>; ///< keepstate + std::optional>; ///< recordstate using response = std::vector, std::optional, diff --git a/common/type.h b/common/type.h index 570b3633..d4357585 100644 --- a/common/type.h +++ b/common/type.h @@ -2273,7 +2273,7 @@ inline const char* eFlowType_toString(eFlowType t) enum class eFlowFlags : uint8_t { - keepstate = 1, + recordstate = 1, log = 2, }; diff --git a/controlplane/acl.cpp b/controlplane/acl.cpp index e523006f..6a568d5f 100644 --- a/controlplane/acl.cpp +++ b/controlplane/acl.cpp @@ -569,7 +569,7 @@ unwind_result unwind(const std::map& acl const std::optional& transport_source, const std::optional& transport_destination, const std::optional& transport_flags, - const std::optional& in_keepstate) + const std::optional& in_recordstate) { (void)module; @@ -664,7 +664,7 @@ unwind_result unwind(const std::map& acl std::string transport_source = "any"; std::string transport_destination = "any"; std::string transport_flags = "any"; - std::string keepstate = "false"; + std::string recordstate = "false"; std::string next_module = "any"; std::string log = rule.log ? "true" : "false"; @@ -719,13 +719,13 @@ unwind_result unwind(const std::map& acl } } - if (rule.filter->keepstate) + if (rule.filter->recordstate) { - keepstate = "true"; + recordstate = "true"; } - if (in_keepstate && - keepstate != *in_keepstate) + if (in_recordstate && + recordstate != *in_recordstate) { continue; } @@ -754,7 +754,7 @@ unwind_result unwind(const std::map& acl transport_source, transport_destination, transport_flags, - keepstate, + recordstate, next_module, ids, log); @@ -893,9 +893,9 @@ std::vector unwind_used_rules(const std::map(rule.action); - if (rule.filter->keepstate) + if (rule.filter->recordstate) { - flow.flags |= (int)common::globalBase::eFlowFlags::keepstate; + flow.flags |= (int)common::globalBase::eFlowFlags::recordstate; } if (rule.log) { diff --git a/controlplane/acl.h b/controlplane/acl.h index 077bb083..e3a73405 100644 --- a/controlplane/acl.h +++ b/controlplane/acl.h @@ -67,7 +67,7 @@ unwind_result unwind(const std::map& acl const std::optional& transport_source, const std::optional& transport_destination, const std::optional& transport_flags, - const std::optional& keepstate); + const std::optional& recordstate); std::set lookup(const std::map& acls, const acl::iface_map_t& ifaces, diff --git a/controlplane/acl/rule.h b/controlplane/acl/rule.h index c3f4712d..ea0beccd 100644 --- a/controlplane/acl/rule.h +++ b/controlplane/acl/rule.h @@ -850,7 +850,7 @@ struct filter_t : filter_base_t ref_t flags; ref_t proto; ref_t dir; - ref_t keepstate; + ref_t recordstate; filter_t(const ref_t& _acl_id, const ref_t& _src, @@ -858,14 +858,14 @@ struct filter_t : filter_base_t const ref_t& _flags, const ref_t& _proto, const ref_t& _dir, - const ref_t& keepstate) : + const ref_t& recordstate) : acl_id(_acl_id), src(_src), dst(_dst), flags(_flags), proto(_proto), dir(_dir), - keepstate(keepstate) + recordstate(recordstate) {} filter_t(ipfw::rule_ptr_t rulep) @@ -919,15 +919,15 @@ struct filter_t : filter_base_t dir = new filter_id_t(1); break; } - if (rulep->keepstate) + if (rulep->recordstate) { - keepstate = new filter_bool_t(true); + recordstate = new filter_bool_t(true); } } virtual bool is_none() const { - return acl_id.is_none() || src.is_none() || dst.is_none() || proto.is_none() || dir.is_none() || keepstate.is_none(); + return acl_id.is_none() || src.is_none() || dst.is_none() || proto.is_none() || dir.is_none() || recordstate.is_none(); } virtual std::string to_string() const @@ -954,9 +954,9 @@ struct filter_t : filter_base_t { ret += " frag " + frag_to_string(flags); } - if (keepstate) + if (recordstate) { - ret += " keepstate"; + ret += " recordstate"; } if (acl_id) @@ -969,7 +969,7 @@ struct filter_t : filter_base_t bool operator==(const filter_t& o) const { - return src == o.src && dst == o.dst && flags == o.flags && proto == o.proto && dir == o.dir && keepstate == o.keepstate; + return src == o.src && dst == o.dst && flags == o.flags && proto == o.proto && dir == o.dir && recordstate == o.recordstate; } }; @@ -1024,7 +1024,7 @@ inline ref_t and_op(const ref_t& a, const ref_t& b a.filter->flags & b.filter->flags, a.filter->proto & b.filter->proto, a.filter->dir & b.filter->dir, - a.filter->keepstate & b.filter->keepstate); + a.filter->recordstate & b.filter->recordstate); } const int64_t DISPATCHER = -1; @@ -1345,7 +1345,7 @@ struct hash size_t operator()(const acl::filter_t& f) const noexcept { size_t h = 0; - hash_combine(h, f.src, f.dst, f.flags, f.proto, f.dir, f.keepstate); + hash_combine(h, f.src, f.dst, f.flags, f.proto, f.dir, f.recordstate); return h; } diff --git a/controlplane/controlplane.cpp b/controlplane/controlplane.cpp index d8919c29..8cdf96fc 100644 --- a/controlplane/controlplane.cpp +++ b/controlplane/controlplane.cpp @@ -411,7 +411,7 @@ common::icp::limit_summary::response cControlPlane::limit_summary() const common::icp::acl_unwind::response cControlPlane::acl_unwind(const common::icp::acl_unwind::request& request) const { - const auto& [module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, keepstate] = request; + const auto& [module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, recordstate] = request; generations.current_lock(); std::map acls = generations.current().acls; @@ -430,7 +430,7 @@ common::icp::acl_unwind::response cControlPlane::acl_unwind(const common::icp::a acls.swap(acls_next); } - return acl::unwind(acls, iface_map, module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, keepstate); + return acl::unwind(acls, iface_map, module, direction, network_source, network_destination, fragment, protocol, transport_source, transport_destination, transport_flags, recordstate); } common::icp::acl_lookup::response cControlPlane::acl_lookup(const common::icp::acl_lookup::request& request) const diff --git a/controlplane/unittest/parser.cpp b/controlplane/unittest/parser.cpp index fa912554..14534002 100644 --- a/controlplane/unittest/parser.cpp +++ b/controlplane/unittest/parser.cpp @@ -172,10 +172,10 @@ add allow udp from { _CNETS_ or _DNETS_ } dst-port 3784,4784 to { _CNETS_ or _DN EXPECT_FALSE(parse_rules(rules)); } -TEST(Parser, 017_KeepStateOption) +TEST(Parser, 017_RecordStateOption) { const auto rules = R"IPFW( -add allow icmp from me to any icmptypes 8 out keep-state +add allow icmp from me to any icmptypes 8 out record-state )IPFW"; EXPECT_TRUE(parse_rules(rules)); } @@ -220,7 +220,7 @@ TEST(Parser, 020_IgnoredOptions) const auto rules = R"IPFW( # just ignore antispoof, diverted, logamount, tag, tagged, add allow tcp from 10.0.0.0/8 to 10.0.0.0/8 80 in antispoof -add 65534 allow ip from any to any diverted keep-state +add 65534 allow ip from any to any diverted record-state add deny log logamount 500 all from any to any add allow tag 653 ip4 from { 10.0.0.0/8 } to me add allow ip from any to any tagged 31000 diff --git a/dataplane/action_dispatcher.h b/dataplane/action_dispatcher.h index d0c76aaa..ee399965 100644 --- a/dataplane/action_dispatcher.h +++ b/dataplane/action_dispatcher.h @@ -111,9 +111,9 @@ struct ActionDispatcher { worker->acl_log(mbuf, action.flow, acl_id); } - if (action.flow.flags & (uint8_t)common::globalBase::eFlowFlags::keepstate) + if (action.flow.flags & (uint8_t)common::globalBase::eFlowFlags::recordstate) { - worker->acl_create_keepstate(mbuf, acl_id, action.flow); + worker->acl_create_state(mbuf, acl_id, action.flow); } if constexpr (Direction == FlowDirection::Egress) diff --git a/dataplane/worker.cpp b/dataplane/worker.cpp index af5e3f57..f485001a 100644 --- a/dataplane/worker.cpp +++ b/dataplane/worker.cpp @@ -4828,7 +4828,7 @@ inline cWorker::FlowFromState cWorker::acl_checkstate(rte_mbuf* mbuf, return {flow}; } -inline void cWorker::acl_create_keepstate(rte_mbuf* mbuf, tAclId aclId, const common::globalBase::tFlow& flow) +inline void cWorker::acl_create_state(rte_mbuf* mbuf, tAclId aclId, const common::globalBase::tFlow& flow) { dataplane::metadata* metadata = YADECAP_METADATA(mbuf); diff --git a/dataplane/worker.h b/dataplane/worker.h index c178ba5e..d47ed823 100644 --- a/dataplane/worker.h +++ b/dataplane/worker.h @@ -188,7 +188,7 @@ class cWorker inline FlowFromState acl_checkstate(rte_mbuf* mbuf, dataplane::globalBase::fw_state_value_t* value, dataplane::spinlock_nonrecursive_t* locker); inline FlowFromState acl_egress_checkstate(rte_mbuf* mbuf); inline FlowFromState acl_egress_checkstate(rte_mbuf* mbuf, dataplane::globalBase::fw_state_value_t* value, dataplane::spinlock_nonrecursive_t* locker); - inline void acl_create_keepstate(rte_mbuf* mbuf, tAclId aclId, const common::globalBase::tFlow& flow); + inline void acl_create_state(rte_mbuf* mbuf, tAclId aclId, const common::globalBase::tFlow& flow); inline void acl_state_emit(tAclId aclId, const dataplane::globalBase::fw_state_sync_frame_t& frame); inline void acl_egress_entry(rte_mbuf* mbuf, tAclId aclId); diff --git a/libfwparser/fw_config.cpp b/libfwparser/fw_config.cpp index 7e2f17d7..286c04d3 100644 --- a/libfwparser/fw_config.cpp +++ b/libfwparser/fw_config.cpp @@ -832,8 +832,8 @@ void fw_config_t::add_rule_opcode(const rule_t::opcode_arg_t& value) case rule_t::opcode_t::DIRECTION: m_curr_rule->direction |= std::get(value); break; - case rule_t::opcode_t::KEEPSTATE: - m_curr_rule->keepstate = true; + case rule_t::opcode_t::RECORDSTATE: + m_curr_rule->recordstate = true; break; case rule_t::opcode_t::IPID: break; diff --git a/libfwparser/fw_config.h b/libfwparser/fw_config.h index f51f3a0e..91a49437 100644 --- a/libfwparser/fw_config.h +++ b/libfwparser/fw_config.h @@ -216,7 +216,7 @@ struct rule_t enum class opcode_t { DIRECTION, - KEEPSTATE, + RECORDSTATE, IPID, IPLEN, IPTTL, @@ -299,7 +299,7 @@ struct rule_t location_history_t location; // file:lineno rule_state_t state = rule_state_t::UNKNOWN; - bool keepstate = false; + bool recordstate = false; bool log = false; // has log option unsigned int logamount = 0; // log limit unsigned int setno = 0; // set number diff --git a/libfwparser/fw_parser.y b/libfwparser/fw_parser.y index b3a55e5a..aa650fea 100644 --- a/libfwparser/fw_parser.y +++ b/libfwparser/fw_parser.y @@ -107,7 +107,7 @@ REASS CONFIG BW WEIGHT BUCKETS MASK SCHEDMASK NOERROR PLR DROPTAIL FLOWID PDELAY SCHED FLOWMASK LINK PRIORITY TYPE VALTYPE ALGO FIB PROFILE BURST CHECKSTATE FWD LOG LOGAMOUNT - LOGDST SETUP ESTABLISHED FRAG MF RF DF OFFSET KEEPSTATE + LOGDST SETUP ESTABLISHED FRAG MF RF DF OFFSET RECORDSTATE ICMPTYPES ICMP6TYPES FROM TO ME ME6 ANY IN OUT VIA XMIT RECV OR NOT LIMIT TABLE TCPFLAGS TCPOPTIONS T_IP T_IP4 T_IP6 IPLEN IPID IPOPTIONS IPTOS IPTTL TCPDATALEN TCPSEQ TCPWIN @@ -1259,9 +1259,9 @@ optiontoken: } icmptypes | - keepstate + recordstate { - cfg.set_rule_opcode(rule_t::opcode_t::KEEPSTATE); + cfg.set_rule_opcode(rule_t::opcode_t::RECORDSTATE); cfg.add_rule_opcode(1); } | @@ -1450,10 +1450,10 @@ fragtoken: cfg.clear_rule_flag(rule_t::ipoff_flags_t::OFFSET); } ; -keepstate: - KEEPSTATE +recordstate: + RECORDSTATE | - KEEPSTATE LABEL + RECORDSTATE LABEL ; dscpspec: dscpspectoken diff --git a/libfwparser/token.l b/libfwparser/token.l index 1bdda844..b62857b1 100644 --- a/libfwparser/token.l +++ b/libfwparser/token.l @@ -162,7 +162,7 @@ mf return ipfw::fw_parser_t::make_MF(*ploc); rf return ipfw::fw_parser_t::make_RF(*ploc); df return ipfw::fw_parser_t::make_DF(*ploc); offset return ipfw::fw_parser_t::make_OFFSET(*ploc); -keep-state return ipfw::fw_parser_t::make_KEEPSTATE(*ploc); +record-state return ipfw::fw_parser_t::make_RECORDSTATE(*ploc); icmptype|icmptypes return ipfw::fw_parser_t::make_ICMPTYPES(*ploc); icmp6type|icmp6types return ipfw::fw_parser_t::make_ICMP6TYPES(*ploc); from return ipfw::fw_parser_t::make_FROM(*ploc); diff --git a/parser/fw_dump.cpp b/parser/fw_dump.cpp index 67452ed4..1fcbf41d 100644 --- a/parser/fw_dump.cpp +++ b/parser/fw_dump.cpp @@ -239,7 +239,7 @@ void fw_dump_t::dump_rule(rule_ptr_t rulep) { std::cerr << "# frag = set(" << std::hex << (int)rulep->ipoff_setflags << "), clear(" << (int)rulep->ipoff_clearflags << ")" << std::dec << std::endl; } - std::cerr << "# keepstate = " << rulep->keepstate << std::endl; + std::cerr << "# recordstate = " << rulep->recordstate << std::endl; if (rulep->direction == rule_t::direction_t::IN) std::cerr << "# direction = IN" << std::endl; else if (rulep->direction == rule_t::direction_t::OUT)