[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: enabling bridge_ipf
Maxime Villard <max%m00nbsd.net@localhost> writes:
> Any reason this isn't enabled by default? Right now you need to recompile
> your kernel with "options BRIDGE_IPF" if you want a firewall on the bridge.
> This is annoying.
> There is already a dynamic switch behind it anyway: you need to pass "ipf"
> to brconfig in order for filtering to actually be enabled, so having the
> extra "options BRIDGE_IPF" serves little purpose.
> I want to enable BRIDGE_IPF by default, by removing the option and the
> #ifdefs. That is, by making the code part of bridge(4) by default.
> Note that BRIDGE_IPF is not related to IPF. It uses the pfil interface, so
> it works with NPF.
This makes sense to me.
The only reason not to would be if it created a lot more code and made
the kernel bigger, or some worry about a few instructions per packet in
bridging. Surely it's just a tiny overhead, and it doesn't really make
sense for bridges to be special vs other interfaces. (If someone wants
to compile out PFIL_HOOKS, this should go too.)
So my only request is to do a test compile with PFIL off.
Main Index |
Thread Index |