[Bug 237973] pf: implement egress keyword to simplify rules across different hardware

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 01 Aug 2022 07:36:13 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237973

--- Comment #11 from Goran Mekić <meka@tilda.center> ---
(In reply to Zhenlei Huang from comment #10)
It is complex and I just started learning about routing implementation in
kernel, so this patch is far from perfect, but let me give some of the answers:

1. Until we have group per FIB and not group per interface, we can't do better,
unless we already have groups per FIB?
2. That issue is present on OpenBSD and yet they still have egress. I didn't
dive into egress edge cases on that operating system, but I assume they have
this problem, too
3. People already can set groups on their interfaces,  so that is covered.

My point is that egress is not universally usable. You can always imagine a
case where egress is not actually what you want in your pf.conf. That being
said, I would argue that egress implementation helps until you get to complex
network setups in which deeper understanding is assumed, hence it's assumed
that network administrators responsible for it know how they should configure
their pf.conf. In short I think there are more people who can use egress than
those who can't, so I still think this is useful (not in current state, of
course).

-- 
You are receiving this mail because:
You are the assignee for the bug.