On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote: E> 2012/2/8 Gleb Smirnoff <gleb...@freebsd.org>: E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote: E> > L> if i understand what the patch does, i think it makes sense to be E> > L> able to hook ipfw instances to specific interfaces/sets of interfaces, E> > L> as it permits the writing of more readable rulesets. Right now the E> > L> workaround is start the ruleset with skipto rules matching on E> > L> interface names, and then use some discipline in "reserving" a range E> > L> of rule numbers to each interface. E> > E> > This is definitely a desired feature, but it should be implemented E> > on level of pfil(9). However, that would still require multiple E> > instances of ipfw(4). E> > E> This opens a discussion of architecture design. E> I do not think presently pfil(9) is designed to handle such thing!
Several years ago, I guess around 2005, a discussion on a per-interface packet filtering was taken on the net@ mailing list. In that time, it lead to nothing, several people were against the idea. Recently on IRC I had raised the discussion again. Today more people liked the idea and found it a desired feature. Many kinds of high end networking equipment have per-interface ACLs. I know that networking sysadmins would be happy if FreeBSD packet filters would get this feature, since maintaing such ACLs is much easier on a router with dozens of interfaces. -- Totus tuus, Glebius. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
