On Thu, Nov 22, 2012 at 10:00 AM, Ermal Luçi <e...@freebsd.org> wrote: > On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH <i...@clue.co.za> wrote: > >> =?ISO-8859-1?Q?Ermal_Lu=E7i?= wrote: >> > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi <sodyn...@gmail.com> wrote: >> > > This was actually discussed much before, as I read it would make some >> > > issues with the new pf-smp work done by gleb. >> > > >> > Not really since Gleb just changed the locking and nothing else. >> > All his work is under the hood. >> > >> > He actually broke if-bound state but that's another story. >> >> Do you have more details on this? We use ifbound state in production >> and I haven't noticed any issues with ifbound state, the way that >> we use it. >> >> Well 'broken' is maybe not the good word depending on the context. > The issue is that if-bound state in HEAD is a null op. > Since every state goes into the hash buckets. > > Before with if-bound states a state will be bound to an interface so a > packet coming/going from/to another interface would not match. > Also would give some resilience with dynamic interfaces. > > Today its a null op. So it voids the keyword which should be deprecated in > FreeBSD or should be reintroduced! > Also it may break people assumptions on it.
So I take it that "set state-policy if-bound" will no longer have any effect either? Is this expected to hit 10.0-RELEASE? It's definitely not ok to break this functionality. SMP changes are far less valuable than being able to filter each packet on ingress and egress. - Max _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
