Robert Elz <k...@munnari.oz.au> writes: > All BSD systems are inherently routers (and while many people don't > like this model, that is how it has always been). The routing > functionality is central to everything in the BSD (internet) stack. > (Unix domain sockets, and other protocols, are, and might be, resp, > different.)
Sure, I understand that. It is still sensible to want to be able to write a firewall rule that will only be matched for a packet that is being input to the host portion (delivered to a socket, more or less), or has been emitted from the host portion (sent by a socket, more or less). I think it's a design bug in a firewall not to be able to do that simply and straightforwardly. A firewall not filtering things that are on some fast path is also a bug. We should have semantics first, and then efficiency.
