per-interface packet filters

[James]

I'm personally against modifying ipfw(4) for this purpose. It gets into the
complexity of syntax and simply violates the initial simple model of the whole
ipfw packet filter itself. I agree in that freebsd systems acting as routers
need a more "efficient" or "better" engine by allowing per-interface firewall
hooks, but we all know pfil_hooks api already provides this; and modifying
ipfw for this is just a mess for a little gain.

That said, the pfil_hooks already provides the ifp -- so why not just write a 
new firewall of your own that is totally separate from pf/ipfw? Please feel
free to make it as compiled (like Crisco Turbo ACL) instead of linear
rule by rule checks :) Just need to make it compatible to pfil_hooks api.

While it is good to make freebsd more router-like, keeping things simple for
systems acting as non-routing platforms for endusers is also equally important.

-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                      Boston IPv4/IPv6 Web Hosting, Colocation and
james at towardex.com            Network design/consulting & configuration services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net