From owner-freebsd-current  Sun Dec 15 12: 5:12 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5711B37B401
	for <current@FreeBSD.ORG>; Sun, 15 Dec 2002 12:05:11 -0800 (PST)
Received: from rootlabs.com (root.org [67.118.192.226])
	by mx1.FreeBSD.org (Postfix) with SMTP id 01ABD43EA9
	for <current@FreeBSD.ORG>; Sun, 15 Dec 2002 12:05:07 -0800 (PST)
	(envelope-from nate@rootlabs.com)
Received: (qmail 44782 invoked by uid 1000); 15 Dec 2002 20:05:07 -0000
Date: Sun, 15 Dec 2002 12:05:07 -0800 (PST)
From: Nate Lawson <nate@root.org>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: current@FreeBSD.ORG
Subject: Re: ipfw userland breaks again.
In-Reply-To: <200212151940.gBFJeA1l086827@apollo.backplane.com>
Message-ID: <Pine.BSF.4.21.0212151157240.44745-100000@root.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Sun, 15 Dec 2002, Matthew Dillon wrote:
>     Here's a new patch.  But there isn't much of a point if we do not
>     also disallow ipfw DELETE and FLUSH.  And the pipe config commands
>     as well as anything else that changes the firewall state.  Firewalls
>     are there to protect the systems behind them.  I think deleting the
>     rule that, say, prevents spoofing is as bad as adding a rule that
>     allows everything through :-(

One other avenue would be to stick a temporary check for ABI compat in
installworld before overwriting ipfw.  Or for the next few releases, build
both ipfw1 and ipfw2 and install both (say, symlinking ipfw -> ipfw2 by
default).  You could fall back to ipfw1 if ipfw2 returns an error code in
rc scripts.  I'd prefer this kind of hack in the install/rc process, not
in a new API.

Regarding civility to developers, there are a ton of frustrating things in
any project.  I think civility should be the response given to both
reasonable and unreasonable people.  If they are unreasonable, giving a
reasonable response just makes them look bad.

-Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message