From owner-freebsd-net@FreeBSD.ORG Thu Feb 9 22:45:39 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7A8E106566C; Thu, 9 Feb 2012 22:45:39 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 5A29B8FC08; Thu, 9 Feb 2012 22:45:38 +0000 (UTC) Received: from julian-mac.elischer.org (64.1.209.194.ptr.us.xo.net [64.1.209.194]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id q19MjZmu063692 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 9 Feb 2012 14:45:36 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4F344CE4.301@freebsd.org> Date: Thu, 09 Feb 2012 14:47:00 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.26) Gecko/20120129 Thunderbird/3.1.18 MIME-Version: 1.0 To: Gleb Smirnoff References: <20120131110204.GA95472@onelab2.iet.unipi.it> <20120208133559.GK13554@FreeBSD.org> <20120208140921.GM13554@glebius.int.ru> In-Reply-To: <20120208140921.GM13554@glebius.int.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Ermal Lu?i , freebsd-net , Luigi Rizzo , freebsd-hackers@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2012 22:45:39 -0000 On 2/8/12 6:09 AM, Gleb Smirnoff wrote: > On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote: > E> 2012/2/8 Gleb Smirnoff: > E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote: > E> > L> if i understand what the patch does, i think it makes sense to be > E> > L> able to hook ipfw instances to specific interfaces/sets of interfaces, > E> > L> as it permits the writing of more readable rulesets. Right now the > E> > L> workaround is start the ruleset with skipto rules matching on > E> > L> interface names, and then use some discipline in "reserving" a range > E> > L> of rule numbers to each interface. > E> > > E> > This is definitely a desired feature, but it should be implemented > E> > on level of pfil(9). However, that would still require multiple > E> > instances of ipfw(4). > E> > > E> This opens a discussion of architecture design. > E> I do not think presently pfil(9) is designed to handle such thing! > > Several years ago, I guess around 2005, a discussion on a per-interface > packet filtering was taken on the net@ mailing list. In that time, it lead > to nothing, several people were against the idea. > > Recently on IRC I had raised the discussion again. Today more people liked > the idea and found it a desired feature. > > Many kinds of high end networking equipment have per-interface ACLs. I know > that networking sysadmins would be happy if FreeBSD packet filters would > get this feature, since maintaing such ACLs is much easier on a router with > dozens of interfaces. I think it is a good idea. not only for interfaces but certain routing and bridging paths too.