You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been working with NSE composition and found that with direct memif i can't create working firewall app.
Detailed description
Little squares on the picture are memif interfaces. I removed forwarders from the picture for simplicity(they are present in my local tests).
Passthrough endpoints in my tests looks somewhat similar to forwarders and when there is no direct memif then traffic flows 1 -> 2 -> 3 -> 4 as i understand it. When direct memif logic is present traffic flows 1 -> 4 . So if we place ACL in 2 or 3 it wouldn't affect anything and there would be no traffic filtering.
Possible solution
If i understood problem correctly, then one of possible solutions would be extracting direct memif logic to separate server and using it combined with ordinary memif, when option "with direct memif" is passed.
The text was updated successfully, but these errors were encountered:
Direct memif got directly incorporated into the memif chain elements, but directmemif needs to be its own independent chain element that is only used in the forwarder.
This is a good catch and debug on your part... the solution I would recommend would be to look at factoring out the 'direct' part to a separate chain element we only use in the forwarder.
Issue
I've been working with NSE composition and found that with direct memif i can't create working firewall app.
Detailed description
Little squares on the picture are memif interfaces. I removed forwarders from the picture for simplicity(they are present in my local tests).
Passthrough endpoints in my tests looks somewhat similar to forwarders and when there is no direct memif then traffic flows 1 -> 2 -> 3 -> 4 as i understand it. When direct memif logic is present traffic flows 1 -> 4 . So if we place ACL in 2 or 3 it wouldn't affect anything and there would be no traffic filtering.
Possible solution
If i understood problem correctly, then one of possible solutions would be extracting direct memif logic to separate server and using it combined with ordinary memif, when option "with direct memif" is passed.
The text was updated successfully, but these errors were encountered: