From owner-freebsd-current Thu Dec 19 19:29:58 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94CE337B401; Thu, 19 Dec 2002 19:29:56 -0800 (PST) Received: from angelica.unixdaemons.com (angelica.unixdaemons.com [209.148.64.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6AAE43ED8; Thu, 19 Dec 2002 19:29:55 -0800 (PST) (envelope-from hiten@angelica.unixdaemons.com) Received: from angelica.unixdaemons.com (hiten@localhost.unixdaemons.com [127.0.0.1]) by angelica.unixdaemons.com (8.12.6/8.12.1) with ESMTP id gBK3TVsB067738; Thu, 19 Dec 2002 22:29:31 -0500 (EST) Received: (from hiten@localhost) by angelica.unixdaemons.com (8.12.6/8.12.1/Submit) id gBK3TUF7067737; Thu, 19 Dec 2002 22:29:30 -0500 (EST) (envelope-from hiten) Date: Thu, 19 Dec 2002 22:29:30 -0500 From: Hiten Pandya To: Darren Reed Cc: Sam Leffler , Hiten Pandya , current@FreeBSD.ORG, darrenr@FreeBSD.ORG Subject: Re: PFIL_HOOKS should be made default in 5.0 Message-ID: <20021220032930.GA67469@unixdaemons.com> References: <0a6201c2a6f9$42cfd720$52557f42@errno.com> <200212200127.MAA20942@avalon.reed.wattle.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200212200127.MAA20942@avalon.reed.wattle.id.au> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD i386 X-Public-Key: http://www.pittgoth.com/~hiten/pubkey.asc X-URL: http://www.unixdaemons.com/~hiten X-PGP: http://pgp.mit.edu:11371/pks/lookup?search=Hiten+Pandya&op=index Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Dec 20, 2002 at 12:27:59PM +1100, Darren Reed wrote the words in effect of: > Well someone has blown my cover from developers and has asked here > what I was trying to be more surrepticious about! > > In some email I received from Sam Leffler, sie wrote: > > > A teeny-weeny issue I would like to discuss, is that we make the pfil(9) > > > hooks code default in 5.0, and remove the kernel option; this is because > > > it creates problems when PFIL_HOOKS is not in the (e.g. GENERIC) kernel, > > > and someone tries to load the ipfilter kernel module (ipl.ko). [1] > > > > > > I have discussed this with Darren, but would just like to make it > > > public, so it can be discussed by the release engineers etc. I > > > apologize but I do not have patches for this. > > > > > > > Enabling PFIL_HOOKS changes various code paths. Doing this so late in the > > release cycle is a bad idea. I also recall that there is a performance > > penalty (at least in the bridge code) for having this enabled. > > There are callouts in both the IPv{4,6} paths for input and output with > PFIL_HOOKS and also bridging. > > PFIL_HOOKS is 1 .c file and 1 .h file and a very small amount of code. > Also, given its generic nature, I'd hope that ipfw* could eventually > move to use it for intercepting packets along the above code paths. > > The bloat factor from including it in the base kernel should be very > small and perhaps the impact of the code being active in those packet > paths close to immeasurable (I hope.) > > > Both issues make it seem like it should stay an option for 5.0. > > I agree with this. Maybe we should put in the release notes, that: "PFIL_HOOKS is required for IPFILTER" -- Hiten Pandya (hiten@unixdaemons.com, hiten@uk.FreeBSD.org) http://www.unixdaemons.com/~hiten/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message