[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Skipping interfaces in pf [was: pf filtering on loopback?]

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: Skipping interfaces in pf [was: pf filtering on loopback?]
From: Daniel Hartmeier <daniel_(_at_)_benzedrine_(_dot_)_cx>
Date: Tue, 14 Dec 2004 22:37:58 +0100

On Tue, Dec 14, 2004 at 02:39:25PM -0500, Mike Frantzen wrote:

> That thread is long and I'm lazy, but why not just prefix your ruleset
> with:

There are cases where the state check has unwanted side-effects that you
can't prevent with any existing construct, like the example given for
loopback (I'm to lazy to write an executive summary here ;). This is
mainly relevant for virtual interfaces and features like
route/reply/dup-to or synproxy, it doesn't warrant a large or complex
additional feature. But the proposal is neither, IMO.

I'm not using the argument regarding performance at all, I doubt it will
make a significant difference in most setups. But it won't make anything
slower, in any case (the flag check is as cheap as it gets).

Daniel

References:
- Skipping interfaces in pf [was: pf filtering on loopback?]
  - From: Max Laier

Prev by Date: Skipping interfaces in pf [was: pf filtering on loopback?]
Next by Date: Re: ksh file name completion oddity / ksh cleanup question
Previous by thread: Skipping interfaces in pf [was: pf filtering on loopback?]
Next by thread: Re: Skipping interfaces in pf [was: pf filtering on loopback?]
Index(es):
- Date
- Thread

Visit your host, monkey.org