From nobody Mon Aug 1 07:36:13 2022 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lx90Z5Hpbz4XpZQ for ; Mon, 1 Aug 2022 07:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lx90Z45Mmz3NKf for ; Mon, 1 Aug 2022 07:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lx90Z3951zQFC for ; Mon, 1 Aug 2022 07:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2717aElJ088014 for ; Mon, 1 Aug 2022 07:36:14 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2717aEKb088013 for net@FreeBSD.org; Mon, 1 Aug 2022 07:36:14 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 237973] pf: implement egress keyword to simplify rules across different hardware Date: Mon, 01 Aug 2022 07:36:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: feature, needs-patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: meka@tilda.center X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1659339374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=upwg/aXIfyQRjFr9Vcyurjdl+ksW8VelBI6H2dLP1ec=; b=yD9VmvYvkxSDX87IBhxDjCXtn0gq+8AL6VK2QlpujSMoi/SnjpWy+0v7CZFSV20Wgurrww dJizTE0hKTTcA1aP4jwXUe8dmQ4T74HQWQOp9AlutZcmKSFf5RCgOMItdI/4CS3MsbR5CH gPo1sMk8ZbVGO2s3cJCJ9Giiwam2Xdcv3IM8awdFZS/wm5ey8EmdAZW3UENH2mk0JgiHiQ JRwHr7w1t8Aig/t8Sfi6efplHZVRNqNq7C0J2YDN9FXd04b2tewQ+1V8dc2Vz5xvicg+B1 1NktC3P2g/3Z+6tE+yduf7YxxCjN5jOi8ASkcDcA9j6vLpM06OuOMV32KNuQHg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1659339374; a=rsa-sha256; cv=none; b=xGNWTcg2Cp0YTlKcKW6oyO/1gxp/VOygqVxPpP48WpfmzPw28yiKazQu0kBflYpTSX2H6Q UxRlUrB6uUIZkCVjNQ9YafswLT72g9JsewJxWOlLxcLruTDCQ2maQJiQMFjcmMJ2AIKul2 3NCcDSQ5szJMyzY56KYkbyRJtFFPksOu0ZtvAAPgvNcY6mxEsJVOegrT4MFbZQNOkrpTas TqIBWKYyPGaAQAHAKFC3++ltfQnq0EpMYeTmEJQ58a+OdsJTnK98JPiy3M9N4vUNAkAdxX YkEd2kVMmVEwobIhpORXxXzA9+RL9Ve1NC4Q4JRguSh4h6D6j4px5ep9n2R2ew== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237973 --- Comment #11 from Goran Meki=C4=87 --- (In reply to Zhenlei Huang from comment #10) It is complex and I just started learning about routing implementation in kernel, so this patch is far from perfect, but let me give some of the answ= ers: 1. Until we have group per FIB and not group per interface, we can't do bet= ter, unless we already have groups per FIB? 2. That issue is present on OpenBSD and yet they still have egress. I didn't dive into egress edge cases on that operating system, but I assume they have this problem, too 3. People already can set groups on their interfaces, so that is covered. My point is that egress is not universally usable. You can always imagine a case where egress is not actually what you want in your pf.conf. That being said, I would argue that egress implementation helps until you get to compl= ex network setups in which deeper understanding is assumed, hence it's assumed that network administrators responsible for it know how they should configu= re their pf.conf. In short I think there are more people who can use egress th= an those who can't, so I still think this is useful (not in current state, of course). --=20 You are receiving this mail because: You are the assignee for the bug.=