Bastiaan Bakker - 2000-08-02

In some situation it's not possible to have source verification turned on in the kernel (FreeSWAN doesn't like it, if I recall correctly). So in these cases we need firewall rules tied to specific interfaces.
The generator does not support this at the moment however.
I thought it might be a good idea to be able to optionally specify the interface(s) through which a net object is reachable. The script could then create a chain for each interface and add rules to these chains. The resulting firewall probably will be quicker too.
What do you think? Good idea or a wasted effort?