Date: Thu, 09 Feb 2012 14:47:00 -0800 From: Julian Elischer <julian@freebsd.org> To: Gleb Smirnoff <glebius@freebsd.org> Cc: Ermal Lu?i <eri@freebsd.org>, freebsd-net <freebsd-net@freebsd.org>, Luigi Rizzo <rizzo@iet.unipi.it>, freebsd-hackers@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) Message-ID: <4F344CE4.301@freebsd.org> In-Reply-To: <20120208140921.GM13554@glebius.int.ru> References: <CAPBZQG32iyzkec4PG%2Bqay9bKfd0GiffKyRBapLkATKvHr7cVww@mail.gmail.com> <20120131110204.GA95472@onelab2.iet.unipi.it> <20120208133559.GK13554@FreeBSD.org> <CAPBZQG0edS3sru=D_iGMsNDC5EA8H=A=wwRUDOGZi9DtU5-CkQ@mail.gmail.com> <20120208140921.GM13554@glebius.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/8/12 6:09 AM, Gleb Smirnoff wrote: > On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote: > E> 2012/2/8 Gleb Smirnoff<glebius@freebsd.org>: > E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote: > E> > L> if i understand what the patch does, i think it makes sense to be > E> > L> able to hook ipfw instances to specific interfaces/sets of interfaces, > E> > L> as it permits the writing of more readable rulesets. Right now the > E> > L> workaround is start the ruleset with skipto rules matching on > E> > L> interface names, and then use some discipline in "reserving" a range > E> > L> of rule numbers to each interface. > E> > > E> > This is definitely a desired feature, but it should be implemented > E> > on level of pfil(9). However, that would still require multiple > E> > instances of ipfw(4). > E> > > E> This opens a discussion of architecture design. > E> I do not think presently pfil(9) is designed to handle such thing! > > Several years ago, I guess around 2005, a discussion on a per-interface > packet filtering was taken on the net@ mailing list. In that time, it lead > to nothing, several people were against the idea. > > Recently on IRC I had raised the discussion again. Today more people liked > the idea and found it a desired feature. > > Many kinds of high end networking equipment have per-interface ACLs. I know > that networking sysadmins would be happy if FreeBSD packet filters would > get this feature, since maintaing such ACLs is much easier on a router with > dozens of interfaces. I think it is a good idea. not only for interfaces but certain routing and bridging paths too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F344CE4.301>