From owner-freebsd-net@FreeBSD.ORG  Mon Dec 13 21:20:01 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 560AB16A544
	for <net@freebsd.org>; Mon, 13 Dec 2004 21:20:01 +0000 (GMT)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 80DBE43D58
	for <net@freebsd.org>; Mon, 13 Dec 2004 21:20:00 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 21476 invoked from network); 13 Dec 2004 21:09:00 -0000
Received: from unknown (HELO freebsd.org) ([62.48.0.53])
          (envelope-sender <andre@freebsd.org>)
          by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
          for <julian@elischer.org>; 13 Dec 2004 21:09:00 -0000
Message-ID: <41BE077E.5CD2B517@freebsd.org>
Date: Mon, 13 Dec 2004 22:19:58 +0100
From: Andre Oppermann <andre@freebsd.org>
X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Julian Elischer <julian@elischer.org>
References: <20041213124051.GB32719@cell.sick.ru>
	<41BDDB4D.2050201@elischer.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: net@freebsd.org
Subject: Re: per-interface packet filters
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2004 21:20:01 -0000

Julian Elischer wrote:
> 
> Gleb Smirnoff wrote:
> 
> >  Dear networkers,
> >
> >  I finally managed to pronounce my idea, although I'm afraid
> > of a bikeshed it is going to be burried under.
... 
> I'm not sayig we should n't do what you are saying but that it is
> already possible to do very similar things.

I'm not against this as such.  However it's more of a presentaion and
user interface issue than a kernel issue.  I'm certanly against hacking
the kernel to make this possible and it's not needed in this case.

With the different firewall packages different solutions with different
representations for this problem exists.  Maybe the only thing neede is
a different ipfw(8) userland application with a syntax more suitable to
what Gleb wants to present to the user.  In the background it would issue
the normal ipfw micro-ops which are entirely sufficient in functionality.
Like writing "hello world" in different programming languages, the machine
code is pretty much the same.

-- 
Andre