From owner-freebsd-hackers  Sun Aug 18 11:09:51 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA04264
          for hackers-outgoing; Sun, 18 Aug 1996 11:09:51 -0700 (PDT)
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA04258
          for <hackers@freebsd.org>; Sun, 18 Aug 1996 11:09:50 -0700 (PDT)
Received: from critter.tfs.com ([140.145.230.177])
          by who.cdrom.com (8.7.5/8.6.11) with ESMTP id LAA09000
          ; Sun, 18 Aug 1996 11:09:46 -0700 (PDT)
Received: from critter.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id QAA06540; Sun, 18 Aug 1996 16:42:34 +0200 (MET DST)
To: Warner Losh <imp@village.org>
cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>,
        "Ugen J.S.Antsilevich" <ugen@latte.worldbank.org>, hackers@freebsd.org
Subject: Re: ipfw vs ipfilter 
In-reply-to: Your message of "Sun, 18 Aug 1996 10:15:05 MDT."
             <199608181615.KAA00454@rover.village.org> 
Date: Sun, 18 Aug 1996 16:42:33 +0200
Message-ID: <6538.840379353@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199608181615.KAA00454@rover.village.org>, Warner Losh writes:
>: The only think I have against ditching ipfw and replacing with ipfilter
>: is that the later is getting to big for comfort.
>
>One of our paranoid villagers recently did a code review on ipfw.  He
>said it was OK, but found a couple of problems.  Specifically, the
>code lacked comments, there was a bug in the IP header fragment
>discarding code (if the offset was one, it would discard the fragment,
>but not when it was 2, it should properly discard the fragment for all
>offsets > 0 < the size of the headers), it assumed that the user
This is a common mistake, only offset==1 needs to be discarded.

>He preferred ipfw to ipfilter (which we've been using for a long time)
>because ipfw was easier to verify than ipfilter because ipfilter has
>added too many bells and whistles for his confort.
my sentiment too.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.