On 2/8/12 6:09 AM, Gleb Smirnoff wrote:
On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote:
E> 2012/2/8 Gleb Smirnoff<gleb...@freebsd.org>:
E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote:
E> > L> if i understand what the patch does, i think it makes sense to be
E> > L> able to hook ipfw instances to specific interfaces/sets of
interfaces,
E> > L> as it permits the writing of more readable rulesets. Right now the
E> > L> workaround is start the ruleset with skipto rules matching on
E> > L> interface names, and then use some discipline in "reserving" a range
E> > L> of rule numbers to each interface.
E> >
E> > This is definitely a desired feature, but it should be implemented
E> > on level of pfil(9). However, that would still require multiple
E> > instances of ipfw(4).
E> >
E> This opens a discussion of architecture design.
E> I do not think presently pfil(9) is designed to handle such thing!
Several years ago, I guess around 2005, a discussion on a per-interface
packet filtering was taken on the net@ mailing list. In that time, it lead
to nothing, several people were against the idea.
Recently on IRC I had raised the discussion again. Today more people liked
the idea and found it a desired feature.
Many kinds of high end networking equipment have per-interface ACLs. I know
that networking sysadmins would be happy if FreeBSD packet filters would
get this feature, since maintaing such ACLs is much easier on a router with
dozens of interfaces.
I think it is a good idea. not only for interfaces but certain routing
and bridging paths too.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
