[geeks] Routing problem: solution in progress

[Charles Shannon Hendrix]

Tue, 26 Dec 2006 @ 20:28 -0500, Sridhar Ayengar said:

> Charles Shannon Hendrix wrote:
> > Tue, 26 Dec 2006 @ 11:21 +0200, Michael-John Turner said:
> > 
> >>> Of course, I have no complex firewall rules yet, and right now ipfilter
> >>> setup is minimal, and I'm not running a snooper yet.
> >> You should take a look at pf - I switched from IPFilter to pf a few years
> >> back and I'm very happy. NetBSD 3.1 supports it, but not in the GENERIC
> >> kernel - you'll either need to load the lkm or build a custom kernel with
> >> pf support.
> > 
> > I might take a look. I've not built a kernel for it yet. Too many other
> > distractions, and I am not bothered much by the stock kernel yet.
> 
> What's pf's big advantage over IPFilter?  Performance?  Simplicity? 
> Shorter data path?

It has a few extra features that come in handy.

Like I said, I've not taken a look, just read about it.

One reason I've read about it is that I hate having to specify addresses
in rules when I really want the rule to apply relative to an interface.

I wish similar improvements could be made to routing in general.  It's
stupid to have to route to an address when what I really want is to say
something like:

	route add default hme1

...when I know that whatever IP address hme1 has, that's where I want
things to go.

For example, setting up dynamic IP interfaces that act as gateways gets
a hell of a lot simpler if you can just use an interface in routing,
filtering, and NAT rules.

Either that, or maybe have some built-in variables that can reference
certain known values.

For example:

	<iface>.address would be a reference to that IP address
	<iface>.gateway would let you refer to a gateway for the net
		an interface is on.  Yes, there are times when that's useful.

...and so on.


-- 
shannon "AT" widomaker.com -- ["And in billows of might swell the Saxons
before her,-- Unite, oh unite!	Or the billows burst o'er her!" -- Downfall
of the Gael]