|
List Info Thread: Re: IPF 4.1.20
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: IPF 4.1.20 |
|
List Info Thread: Re: IPF 4.1.20
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Espresso.Rhein-Neckar.DE> writes:
hf> (a) pf keeps state per-interface
no,
set state-policy if-bound
set state-policy floating
in the options section controls whether or not packets will
match
state that was created on interfaces other than the one on
which
they're being sent/received.
hf> You could probably work around that by extensive
hf> use of macros, but I find that inflates the
namespace and
hf> rather obscures the rule base.
I find it doesn't. All pf.conf's make extensive use of
macros and
syntactic sugar, and it's tremendously more readable and
less
mistake-prone. seriously. I have a couple hundred rules
and like
thirty HFSC queues. The macros are good.
hf> (b), my current ruleset relies heavily on
(per-interface)
hf> groups, for structuring the ruleset more than
performance, and
hf> pf does not support groups.
yeah, I felt there were missing verbs, like 'block commit'
meaning,
``if the packet is marked for blocking at this point in
marching
through the ruleset, block it right now as if 'block quick'.
If the
packet's marked for passing, proceed on through the
ruleset.'' and
then a 'pass commit' to go with it.