On Thu, Jul 03, 2003 at 06:07:06PM +0200, Daniel Hartmeier wrote: > On Thu, Jul 03, 2003 at 05:52:48PM +0200, Cedric Berger wrote: > > > You're right, 2 bridges on the same machine cannot work with PF. > > That was discussed before, without conclusive solution. > > I was in favor of tying states to interfaces, but there was objections. > > Maybee we need a keyword like "lock" or "attach" or "tie" to attach > > a state to a given interface, which would solve your problem (and > > other problems) > > I agree it should be done, but we'll have to solve a couple of issues > first. For instance, the NATLOOK ioctl would require the caller to pass > the interface name for the state lookup (otherwise it might find the > wrong state). There are several tools that use NATLOOK by now > (ftp-proxy, the ssh patch, squid and other proxies in ports). We'll have > to adjust them all. For instance, ftp-proxy would probably require a new > command line switch to specify the interface name for the NATLOOK ioctl > (it doesn't need to know the interface for anything else, and I see no > way it could figure it out without an additional switch). > > IMO, it's well worth the effort, but it will be some effort :)
It's more complicated than that. while I think that states should indeed be bound to an interface, changing anything like that becomes less and less acceptable. pf is widely deployed nowadays, and there are more 3rd party apps using the interfaces than we know of. compatibility becomes a major issue. that doesn't mean we cannot change anything anymore - it's just dramatically more complicated now, and some basics are rather "untoucheable" now. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
