[Bug 237973] pf: implement egress keyword to simplify rules across different hardware

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 01 Aug 2022 02:09:57 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237973

Zhenlei Huang <zlei.huang@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zlei.huang@gmail.com

--- Comment #10 from Zhenlei Huang <zlei.huang@gmail.com> ---
I think it is a little complicated.

1. FreeBSD supports multiple FIBs, different FIB may have different default
route. Then how can the `egress` group been set?
2. What if it is a router and have multiple interfaces and ECMP default route?
3. If we have dynamic or static route, maybe another interface will be chosen
as real egress interface other than the one with default route. If we rely on
PF firewall `egress` rules then it may be a security hole.

So I think it is best to let user add `egress` ifgroup to the interface
manually or by scripts.

-- 
You are receiving this mail because:
You are the assignee for the bug.