This isn't my primary area of expertise, but a few comments for your
consideration:
- The diagrams on pages 4 and 6 would be more helpful if they indicated
the entity (for example, the SMF service) which actually performs each
of the steps noted.
- Section 2.1 vaguely notes that there are requirements from firewall
software vendors which are not being met. It would be useful to be more
specific about what those requirements are, and why we've chosen to
defer meeting them.
- Section 3 mentions that the scope of the design may be extended beyond
its initial scope of firewall software. It would be helpful to place
this design into context if you could be more explicit about what those
possible extensions might be.
- Section 3.5 notes two models, and proceeds to pick one without any
rationale for why one meets the requirements in section 2 better than
the other.
- The network interface model in 4.1.1 seems odd to me, and possibly
clumsy to use. There's little explanation that I could find of why the
hook framework should provide differentiation between physical and
logical entities, or of why packet interception is necessarily
associated with a physical interface.
- 4.2.5: Please, can we provide a better way to control the loopback
filtering than an /etc/system setting? Can't this be determined
automatically based on the ipf.conf rules? Is loopback filtering
disabled truly the right default anymore, at least when zones and other
virtualization techniques are likely to be in use?
- Appendix B - I don't get, based on the info presented, why we don't
need analogs for Linux's NF_*_LOCAL_* hooks.
Dave
_______________________________________________
networking-discuss mailing list
[email protected]
