per-interface packet filters

[Vladimir Grebenschikov]

В вт, 14/12/2004 в 11:51 +0300, Gleb Smirnoff пишет:

> I know this. We have a well commented firewall scripts, we store them at RCS,
> we do many things to make our life easier. But my practice (and my collegues)
> shows that per interface filters are easier to understand and maintain when
> number of interfaces grows up to 20 and more, and they all are logically
> different - clients, servers, DMZs, hardware, nated networks, etc.
> 
> Again, this feature is not for all. This is for people who build complicated
> routers on FreeBSD. It is not going to hurt standard host setups.

Frankly speaking, I think ppl who runs real-life router with firewall on
fbsd will vote for this feature by both hands.

I sometime, some years ago I had freebsd router with near to 100
interfaces  (mostly VLANs and FrameRelay customers connections, and
about 10 physical media interfaces). This router transfers some
thousands packets per second. It was real trouble to rearrange ipfw
table with large (very large) number of jumps (especially in case when
some number range was exceeded and renumbering required). Also most of
router interrupt time was spent in going through client multiplexer part
of ipfw ruleset.

Gleb, please do the feature.

Why we do not avoid bottlenecks where they can be avoided ? 
With that feature we can select right rules for specific interface
without do linear search by ruleset. 

Do we what FreeBSD be used on large scale of setups or we have think
targeting ? 

-- off-topic --
Days ago FreeBSD was only OS flexible and stable enough to be use in
complex, customized network environments, but now-days it is not so :(,
and you know why.
-- off-topic -- (not for flame or advocacy, just emotion)

-- 
Vladimir B. Grebenchikov
vova at fbsd.ru