Subject: Re: IPF 4.1.20
To: None <current-users@netbsd.org>
From: Miles Nordin <carton@Ivy.NET>
List: current-users
Date: 05/08/2007 21:43:00
--pgp-sign-Multipart_Tue_May__8_21:42:51_2007-1
Content-Type: text/plain; charset=US-ASCII
>>>>> "hf" == Hauke Fath <hauke@Espresso.Rhein-Neckar.DE> writes:
hf> (a) pf keeps state per-interface
no,
set state-policy if-bound
set state-policy floating
in the options section controls whether or not packets will match
state that was created on interfaces other than the one on which
they're being sent/received.
hf> You could probably work around that by extensive
hf> use of macros, but I find that inflates the namespace and
hf> rather obscures the rule base.
I find it doesn't. All pf.conf's make extensive use of macros and
syntactic sugar, and it's tremendously more readable and less
mistake-prone. seriously. I have a couple hundred rules and like
thirty HFSC queues. The macros are good.
hf> (b), my current ruleset relies heavily on (per-interface)
hf> groups, for structuring the ruleset more than performance, and
hf> pf does not support groups.
yeah, I felt there were missing verbs, like 'block commit' meaning,
``if the packet is marked for blocking at this point in marching
through the ruleset, block it right now as if 'block quick'. If the
packet's marked for passing, proceed on through the ruleset.'' and
then a 'pass commit' to go with it.
--pgp-sign-Multipart_Tue_May__8_21:42:51_2007-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUARkEnJInCBbTaW/4dAQLyDQP/UC1wEo47nsQGmB4GHJD1RaCJj/6iAw68
qsM20icP4tAYC62xVHcABTwdxTGoUGvkMrKYYHtlkWdDgaoa4gQJib8NuOX00ab7
8UQ+UmdZk/tAIO/vcSouZo2QihsgIo9Q6avsgPWeD48lvYrIE333gXOXJyaZ5hLf
497g3CtWv9g=
=NpSp
-----END PGP SIGNATURE-----
--pgp-sign-Multipart_Tue_May__8_21:42:51_2007-1--