Date: Mon, 01 Aug 2022 02:09:57 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Message-ID: <bug-237973-7501-6sjGkPyMJF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-237973-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-237973-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 Zhenlei Huang <zlei.huang@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zlei.huang@gmail.com --- Comment #10 from Zhenlei Huang <zlei.huang@gmail.com> --- I think it is a little complicated. 1. FreeBSD supports multiple FIBs, different FIB may have different default route. Then how can the `egress` group been set? 2. What if it is a router and have multiple interfaces and ECMP default rou= te? 3. If we have dynamic or static route, maybe another interface will be chos= en as real egress interface other than the one with default route. If we rely = on PF firewall `egress` rules then it may be a security hole. So I think it is best to let user add `egress` ifgroup to the interface manually or by scripts. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237973-7501-6sjGkPyMJF>