From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 21:13:37 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B6E916A4CE for ; Mon, 13 Dec 2004 21:13:37 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CF9F43D5C for ; Mon, 13 Dec 2004 21:13:36 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 21431 invoked from network); 13 Dec 2004 21:02:36 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 13 Dec 2004 21:02:36 -0000 Message-ID: <41BE05FE.7CBA6BBA@freebsd.org> Date: Mon, 13 Dec 2004 22:13:34 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Richard A Steenbergen References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org> <20041213175305.GR6312@overlord.e-gerbil.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 21:13:37 -0000 Richard A Steenbergen wrote: > > On Mon, Dec 13, 2004 at 03:49:31PM +0100, Andre Oppermann wrote: > > > I'd like to implement per-interface pfil hooks, like in Cisco > > > world. Each interface may have 'in' list of rules, 'out' list > > > of rules. Current global ip_{input,output}, filters may coexist > > > with per-interface ones, but can be turned off. > > > > Different worlds. I wonder why everything has to "like Cisco". It's > > not always the most clever way they solve a given problem. > > The worlds are only different in so much as "most" FreeBSD boxes only have > one network interface. If you have more that one interface on ANY > platform, you really really really want the ability to have seperate > interface rulesets. Trying to cram everything into one list with interface > matching qualifiers, even if there is a magic optimization layer which > wisks away the rules which can not match, is unnecessarily messy and > backwards. Well, this is a question of the userland interface of any particular firewall set, be it ipfw, pf or ipf. The kernel and pfil API is not in the way of doing it. > Note that the ability to use a global filter is also still perfectly > appropriate for a host vs a router. I don't see any reason reason that you > couldn't support both, with interface specific rules being processed > before global. As someone who has clearly spent a lot of time trying to > un-hose fbsd's legacy network code, I'm surprised to see you on the wrong > side of that argument. :) I'm against making things complicated on the coding side. I'm a fan of KISS. Sure we can do and become everything for everyone with two gazillion sysctls and one-thousand compile time options but it's not going to scale and only a minority will use it at any given time. -- Andre