From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec  4 08:31:06 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1C4A816A4CE
	for <freebsd-hackers@freebsd.org>;
	Thu,  4 Dec 2003 08:31:06 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0BE7F43FE9
	for <freebsd-hackers@freebsd.org>;
	Thu,  4 Dec 2003 08:31:02 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9p2/8.12.9) with ESMTP id hB4GSCMg085569;
	Thu, 4 Dec 2003 11:28:12 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)hB4GS7dC085564;
	Thu, 4 Dec 2003 11:28:12 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 4 Dec 2003 11:28:07 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: "Devon H.O'Dell" <dodell@sitetronics.com>
In-Reply-To: <62090848-2668-11D8-AAE8-000A95E5E66E@sitetronics.com>
Message-ID: <Pine.NEB.3.96L.1031204112630.84430E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-hackers@freebsd.org
Subject: Re: IPFW and the IP stack
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 16:31:06 -0000


On Thu, 4 Dec 2003, Devon H.O'Dell wrote:

> This is obviously the most logical explanation. There's a good bit of
> questioning for PFIL_HOOKS to be enabled in generic to allow ipf to be
> loaded as a module as well. If this is the case, we'll have two
> firewalls that have their hooks compiled in by default allowing for them
> both to be loaded as modules. (Is this still scheduled for 5.2?) 
> 
> But at this point, there's no way to allow one to turn the IPFW hooks
> *off*. Is there a reason for this? 
> 
> Would it be beneficial (or possible) to hook ipfw into pfil(9)? This
> way, we could allow the modules to be loaded by default for both and
> also allow for the total absence of both in the kernel. Sorry if I've
> missed discussions on this and am being redundant. 

Sam Leffler has done a substantial amount of work to push all of the
various "hacks"" (features?) behind PFIL_HOOKS, and I anticipate we'll
ship PFIL_HOOKS enabled in GENERIC in 5.3 and use it to plug in most of
these services.  This also means packages like IPFilter and PF will work
"out of the box" without a kernel recompile, not to mention offering
substantial architectural cleanup. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research