From owner-freebsd-net Mon May 1 23:13:13 2000 Delivered-To: freebsd-net@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 1824437BA95 for ; Mon, 1 May 2000 23:13:05 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id IAA48539; Tue, 2 May 2000 08:13:37 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200005020613.IAA48539@info.iet.unipi.it> Subject: Re: ether matching in ipfw?? In-Reply-To: <200005012021.NAA93590@bubba.whistle.com> from Archie Cobbs at "May 1, 2000 01:21:43 pm" To: Archie Cobbs Date: Tue, 2 May 2000 08:13:37 +0200 (CEST) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > HOWEVER: for the future re-inclusion I would be a strong advocate > > of a unified firewall interface rather than separate things > > (etherfw, ipfw). The reason is because at times one might want > > to interleave rules matching ethernet headers, ip headers, tcp ... > Yes, I think that's a good idea. > > Seems like a good approach would be to have separate per-layer > filtering in the kernel implementation, with a nice intuitive > unified userland view. as long as one can intermix rules for different layers, which is not immediately clear to me if we implement separate per-layer filters (in the sense that there will still be the need of a unique list of rules which span the separate filters, meaning we need a unified kernel interface as well). So i guess we should end up having (in the kernel) net_fw.c and then ether_fw.c ip_fw.c ip6_fw.c ipx_fw.c ... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message