Date: Wed, 8 Feb 2012 15:04:09 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org>, Luigi Rizzo <rizzo@iet.unipi.it>, freebsd-hackers@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) Message-ID: <CAPBZQG0edS3sru=D_iGMsNDC5EA8H=A=wwRUDOGZi9DtU5-CkQ@mail.gmail.com> In-Reply-To: <20120208133559.GK13554@FreeBSD.org> References: <CAPBZQG32iyzkec4PG%2Bqay9bKfd0GiffKyRBapLkATKvHr7cVww@mail.gmail.com> <20120131110204.GA95472@onelab2.iet.unipi.it> <20120208133559.GK13554@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
2012/2/8 Gleb Smirnoff <glebius@freebsd.org>: > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote: > L> if i understand what the patch does, i think it makes sense to be > L> able to hook ipfw instances to specific interfaces/sets of interfaces, > L> as it permits the writing of more readable rulesets. Right now the > L> workaround is start the ruleset with skipto rules matching on > L> interface names, and then use some discipline in "reserving" a range > L> of rule numbers to each interface. > > This is definitely a desired feature, but it should be implemented > on level of pfil(9). However, that would still require multiple > instances of ipfw(4). > This opens a discussion of architecture design. I do not think presently pfil(9) is designed to handle such thing! Regards, Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0edS3sru=D_iGMsNDC5EA8H=A=wwRUDOGZi9DtU5-CkQ>