Date: Mon, 13 Dec 2004 22:13:34 +0100 From: Andre Oppermann <andre@freebsd.org> To: Richard A Steenbergen <ras@e-gerbil.net> Cc: net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <41BE05FE.7CBA6BBA@freebsd.org> References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org> <20041213175305.GR6312@overlord.e-gerbil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard A Steenbergen wrote:
>
> On Mon, Dec 13, 2004 at 03:49:31PM +0100, Andre Oppermann wrote:
> > > I'd like to implement per-interface pfil hooks, like in Cisco
> > > world. Each interface may have 'in' list of rules, 'out' list
> > > of rules. Current global ip_{input,output}, filters may coexist
> > > with per-interface ones, but can be turned off.
> >
> > Different worlds. I wonder why everything has to "like Cisco". It's
> > not always the most clever way they solve a given problem.
>
> The worlds are only different in so much as "most" FreeBSD boxes only have
> one network interface. If you have more that one interface on ANY
> platform, you really really really want the ability to have seperate
> interface rulesets. Trying to cram everything into one list with interface
> matching qualifiers, even if there is a magic optimization layer which
> wisks away the rules which can not match, is unnecessarily messy and
> backwards.
Well, this is a question of the userland interface of any particular
firewall set, be it ipfw, pf or ipf. The kernel and pfil API is not
in the way of doing it.
> Note that the ability to use a global filter is also still perfectly
> appropriate for a host vs a router. I don't see any reason reason that you
> couldn't support both, with interface specific rules being processed
> before global. As someone who has clearly spent a lot of time trying to
> un-hose fbsd's legacy network code, I'm surprised to see you on the wrong
> side of that argument. :)
I'm against making things complicated on the coding side. I'm a fan
of KISS.
Sure we can do and become everything for everyone with two gazillion
sysctls and one-thousand compile time options but it's not going to
scale and only a minority will use it at any given time.
--
Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41BE05FE.7CBA6BBA>