Re: npf on a router: configuration issues

To: Robert Elz <kre%munnari.OZ.AU@localhost>
Subject: Re: npf on a router: configuration issues
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 11 Apr 2025 17:13:42 -0400

Robert Elz <kre%munnari.OZ.AU@localhost> writes:

> All BSD systems are inherently routers (and while many people don't
> like this model, that is how it has always been).   The routing
> functionality is central to everything in the BSD (internet) stack.
> (Unix domain sockets, and other protocols, are, and might be, resp,
> different.)

Sure, I understand that.

It is still sensible to want to be able to write a firewall rule that
will only be matched for a packet that is being input to the host
portion (delivered to a socket, more or less), or has been emitted from
the host portion (sent by a socket, more or less).  I think it's a
design bug in a firewall not to be able to do that simply and
straightforwardly.

A firewall not filtering things that are on some fast path is also a
bug.   We should have semantics first, and then efficiency.

References:
- Re: npf on a router: configuration issues
  - From: Greg Troxel
- npf on a router: configuration issues
  - From: Greg Troxel
- Re: npf on a router: configuration issues
  - From: Christoph Badura
- Re: npf on a router: configuration issues
  - From: Robert Elz

Prev by Date: Re: npf on a router: configuration issues
Previous by Thread: Re: npf on a router: configuration issues
Next by Thread: make CD music
Indexes:

Home | Main Index | Thread Index | Old Index