Yes, either that of having NATLOOK return all states found (potentially >1)You're right, 2 bridges on the same machine cannot work with PF. That was discussed before, without conclusive solution. I was in favor of tying states to interfaces, but there was objections. Maybee we need a keyword like "lock" or "attach" or "tie" to attach a state to a given interface, which would solve your problem (and other problems)
I agree it should be done, but we'll have to solve a couple of issues first. For instance, the NATLOOK ioctl would require the caller to pass the interface name for the state lookup (otherwise it might find the wrong state).
Well, I'm really interrested in that feature. Now that I've almost finishedThere are several tools that use NATLOOK by now (ftp-proxy, the ssh patch, squid and other proxies in ports). We'll have to adjust them all. For instance, ftp-proxy would probably require a new command line switch to specify the interface name for the NATLOOK ioctl (it doesn't need to know the interface for anything else, and I see no way it could figure it out without an additional switch).
the cleaning up of userland, I'd be interrested to work on that.
After the 5 days vacations that I'm gonna take from Friday to next Tuesday...
Cedric
