[PATCH] multiple instances of ipfw(4)
julian at freebsd.org
Thu Feb 9 22:45:39 UTC 2012
On 2/8/12 6:09 AM, Gleb Smirnoff wrote:
> On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote:
> E> 2012/2/8 Gleb Smirnoff<glebius at freebsd.org>:
> E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote:
> E> > L> if i understand what the patch does, i think it makes sense to be
> E> > L> able to hook ipfw instances to specific interfaces/sets of interfaces,
> E> > L> as it permits the writing of more readable rulesets. Right now the
> E> > L> workaround is start the ruleset with skipto rules matching on
> E> > L> interface names, and then use some discipline in "reserving" a range
> E> > L> of rule numbers to each interface.
> E> >
> E> > This is definitely a desired feature, but it should be implemented
> E> > on level of pfil(9). However, that would still require multiple
> E> > instances of ipfw(4).
> E> >
> E> This opens a discussion of architecture design.
> E> I do not think presently pfil(9) is designed to handle such thing!
> Several years ago, I guess around 2005, a discussion on a per-interface
> packet filtering was taken on the net@ mailing list. In that time, it lead
> to nothing, several people were against the idea.
> Recently on IRC I had raised the discussion again. Today more people liked
> the idea and found it a desired feature.
> Many kinds of high end networking equipment have per-interface ACLs. I know
> that networking sysadmins would be happy if FreeBSD packet filters would
> get this feature, since maintaing such ACLs is much easier on a router with
> dozens of interfaces.
I think it is a good idea. not only for interfaces but certain routing
and bridging paths too.
More information about the freebsd-net