per-interface packet filters
Andre Oppermann
andre at freebsd.org
Mon Dec 13 13:13:37 PST 2004
Richard A Steenbergen wrote:
>
> On Mon, Dec 13, 2004 at 03:49:31PM +0100, Andre Oppermann wrote:
> > > I'd like to implement per-interface pfil hooks, like in Cisco
> > > world. Each interface may have 'in' list of rules, 'out' list
> > > of rules. Current global ip_{input,output}, filters may coexist
> > > with per-interface ones, but can be turned off.
> >
> > Different worlds. I wonder why everything has to "like Cisco". It's
> > not always the most clever way they solve a given problem.
>
> The worlds are only different in so much as "most" FreeBSD boxes only have
> one network interface. If you have more that one interface on ANY
> platform, you really really really want the ability to have seperate
> interface rulesets. Trying to cram everything into one list with interface
> matching qualifiers, even if there is a magic optimization layer which
> wisks away the rules which can not match, is unnecessarily messy and
> backwards.
Well, this is a question of the userland interface of any particular
firewall set, be it ipfw, pf or ipf. The kernel and pfil API is not
in the way of doing it.
> Note that the ability to use a global filter is also still perfectly
> appropriate for a host vs a router. I don't see any reason reason that you
> couldn't support both, with interface specific rules being processed
> before global. As someone who has clearly spent a lot of time trying to
> un-hose fbsd's legacy network code, I'm surprised to see you on the wrong
> side of that argument. :)
I'm against making things complicated on the coding side. I'm a fan
of KISS.
Sure we can do and become everything for everyone with two gazillion
sysctls and one-thousand compile time options but it's not going to
scale and only a minority will use it at any given time.
--
Andre
More information about the freebsd-net
mailing list