Date: Mon, 13 Dec 2004 12:53:05 -0500 From: Richard A Steenbergen <ras@e-gerbil.net> To: Andre Oppermann <andre@freebsd.org> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <20041213175305.GR6312@overlord.e-gerbil.net> In-Reply-To: <41BDABFB.E64C0A31@freebsd.org> References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 13, 2004 at 03:49:31PM +0100, Andre Oppermann wrote:
> > I'd like to implement per-interface pfil hooks, like in Cisco
> > world. Each interface may have 'in' list of rules, 'out' list
> > of rules. Current global ip_{input,output}, filters may coexist
> > with per-interface ones, but can be turned off.
>
> Different worlds. I wonder why everything has to "like Cisco". It's
> not always the most clever way they solve a given problem.
The worlds are only different in so much as "most" FreeBSD boxes only have
one network interface. If you have more that one interface on ANY
platform, you really really really want the ability to have seperate
interface rulesets. Trying to cram everything into one list with interface
matching qualifiers, even if there is a magic optimization layer which
wisks away the rules which can not match, is unnecessarily messy and
backwards.
Note that the ability to use a global filter is also still perfectly
appropriate for a host vs a router. I don't see any reason reason that you
couldn't support both, with interface specific rules being processed
before global. As someone who has clearly spent a lot of time trying to
un-hose fbsd's legacy network code, I'm surprised to see you on the wrong
side of that argument. :)
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041213175305.GR6312>