learn reverse flows to improve security

[grafnu]

Currently, in order to enable flows from ephemeral ports I basically need to allow all potential source ports for a flow, simply restricting the source as identified by MAC/IP. Problem is then for the reverse flow (required for TCP or most UDP protocols), there I end up having to whitelist all the destination ports, which ends up being a pretty big security hole.

Ideally, in addition to learning the MAC address of each port, FAUCET could also learn the required reverse flow. So, if I marked a particular ACL rule with "learn_flow", then when there was a forward packet matching A:?->B:Y, it would automatically learn the reverse flow of B:Y->A:X where X is the learned value from A:?.

This is definitely a non-critical "enhancement" that would improve overall system security, but would likely require a non-trivial amount of work.