James Carlson wrote: >Darren Reed writes: > > >>This case will extend PSARC/2005/334, by adding the ability to intercept >>packets in MAC layer using the PFHooks infrastructure. >> >> > >Very minor nit: case title doesn't quite match the contents. I was >excited to see the name, because I'm working on MAC layer interception >... until I read that it was just a PFHooks extension for layer 2. > > > >>Users can use ipf(1M) to add ethernet filtering rules in addition to IP >>filtering rules, the ethernet filtering rules are marked with "family ether". >>Unlike IPv6, no special command line switch is required to load ethernet >>rules. And by default, ethernet rules should be put in /etc/ipf/ipf.conf. >> >> > >That seems strange. > >We currently have /etc/ipf/ipf.conf for IPv4 and the undocumented >/etc/ipf/ipf6.conf for IPv6. Why wouldn't we have /etc/ipf/ipfl2.conf >(or some such) for L2-specific rules? > >Or if "family ether" is a good way to do this, why wouldn't we have >"family inet" and "family inet6" and get rid of /etc/ipf/ipf6.conf? > >What's the intended direction? > >
In PSARC/2005/201, which was IPv6 for IPFilter, the direction from PSARC was to move to a single configuration file for all of the filtering statements - thus /etc/ipf/ipf6.conf was introduced as an obsolete interface with the understanding that it would be subsumed in the future by /etc/ipf/ipf.conf. The background here is that the current use of Ipv6 filtering outside of Solaris uses a separate file. Thus it seemed to not make any sense to introduce a new file that would also be obsolete at introduction - more importantly, there is no prior history in open source for a separate file. Darren
