From owner-freebsd-net@FreeBSD.ORG Mon Dec 13 17:53:07 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50EFD16A4CE; Mon, 13 Dec 2004 17:53:07 +0000 (GMT) Received: from overlord.e-gerbil.net (e-gerbil.net [69.31.1.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB3F843D4C; Mon, 13 Dec 2004 17:53:06 +0000 (GMT) (envelope-from ras@overlord.e-gerbil.net) Received: from overlord.e-gerbil.net (ras@localhost.e-gerbil.net [127.0.0.1]) by overlord.e-gerbil.net (8.13.1/8.13.1) with ESMTP id iBDHr5L7059139; Mon, 13 Dec 2004 12:53:05 -0500 (EST) (envelope-from ras@overlord.e-gerbil.net) Received: (from ras@localhost) by overlord.e-gerbil.net (8.13.1/8.13.1/Submit) id iBDHr5ur059138; Mon, 13 Dec 2004 12:53:05 -0500 (EST) (envelope-from ras) Date: Mon, 13 Dec 2004 12:53:05 -0500 From: Richard A Steenbergen To: Andre Oppermann Message-ID: <20041213175305.GR6312@overlord.e-gerbil.net> References: <20041213124051.GB32719@cell.sick.ru> <41BDABFB.E64C0A31@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41BDABFB.E64C0A31@freebsd.org> User-Agent: Mutt/1.5.6i cc: net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 17:53:07 -0000 On Mon, Dec 13, 2004 at 03:49:31PM +0100, Andre Oppermann wrote: > > I'd like to implement per-interface pfil hooks, like in Cisco > > world. Each interface may have 'in' list of rules, 'out' list > > of rules. Current global ip_{input,output}, filters may coexist > > with per-interface ones, but can be turned off. > > Different worlds. I wonder why everything has to "like Cisco". It's > not always the most clever way they solve a given problem. The worlds are only different in so much as "most" FreeBSD boxes only have one network interface. If you have more that one interface on ANY platform, you really really really want the ability to have seperate interface rulesets. Trying to cram everything into one list with interface matching qualifiers, even if there is a magic optimization layer which wisks away the rules which can not match, is unnecessarily messy and backwards. Note that the ability to use a global filter is also still perfectly appropriate for a host vs a router. I don't see any reason reason that you couldn't support both, with interface specific rules being processed before global. As someone who has clearly spent a lot of time trying to un-hose fbsd's legacy network code, I'm surprised to see you on the wrong side of that argument. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)