[Bug 237973] pf: implement egress keyword to simplify rules across different hardware
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Aug 2022 02:09:57 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237973 Zhenlei Huang <zlei.huang@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zlei.huang@gmail.com --- Comment #10 from Zhenlei Huang <zlei.huang@gmail.com> --- I think it is a little complicated. 1. FreeBSD supports multiple FIBs, different FIB may have different default route. Then how can the `egress` group been set? 2. What if it is a router and have multiple interfaces and ECMP default route? 3. If we have dynamic or static route, maybe another interface will be chosen as real egress interface other than the one with default route. If we rely on PF firewall `egress` rules then it may be a security hole. So I think it is best to let user add `egress` ifgroup to the interface manually or by scripts. -- You are receiving this mail because: You are the assignee for the bug.