On Thu, Jul 03, 2003 at 05:52:48PM +0200, Cedric Berger wrote: > You're right, 2 bridges on the same machine cannot work with PF. > That was discussed before, without conclusive solution. > I was in favor of tying states to interfaces, but there was objections. > Maybee we need a keyword like "lock" or "attach" or "tie" to attach > a state to a given interface, which would solve your problem (and > other problems)
I agree it should be done, but we'll have to solve a couple of issues first. For instance, the NATLOOK ioctl would require the caller to pass the interface name for the state lookup (otherwise it might find the wrong state). There are several tools that use NATLOOK by now (ftp-proxy, the ssh patch, squid and other proxies in ports). We'll have to adjust them all. For instance, ftp-proxy would probably require a new command line switch to specify the interface name for the NATLOOK ioctl (it doesn't need to know the interface for anything else, and I see no way it could figure it out without an additional switch). IMO, it's well worth the effort, but it will be some effort :) Daniel
