Zhijun Fu wrote:
> For input, we might want to do something like below in the future:
>
> #pass in family ether from 11:22:33:44:55:55 to any l2-head 100
> #pass in proto tcp from any to any l2-group 100 layer2
>
> For output, we might want to do something similar:
>
> #pass out family ether from 66:55:44:33:22:11 to any l2-head 200
> #pass out proto tcp from any to any l2-group 200 layer2
>
> (the same for combining L2 filtering + "layer2" L3 NAT)
>
> To do this, we need the L2 firewall to be processed earlier
> than "layer2" IP firewall (and "layer2" IP NAT), for
> both INPUT and OUTPUT, as otherwise we don't know whether
> a "layer2" IP firewall/NAT rule should be processed or not
> if we do E -> D -> C -> B -> A for output, as the rules
> can be conditional which depend on the L2 firewall rules,
> which haven't be processed at that time.
One way to think about this is that what you have as the rule with
l2-head isn't a traditional firewall rule, but that it instead is a
classification rule whose result is to tag/label the packet for further
processing.
Other rules can then be written which use the tag/label.
In that case clearly the classification has to happen before its use.
But I don't see l2-head and l2-group in the current case, thus to avoid
confusing the users couldn't we simplify the current description to be
symmetric?
Erik
