From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec  4 08:50:49 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 25C2116A4CE; Thu,  4 Dec 2003 08:50:49 -0800 (PST)
Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 19E8F43F75; Thu,  4 Dec 2003 08:50:47 -0800 (PST)
	(envelope-from dodell@sitetronics.com)
Received: from sitetronics.com ([213.46.143.85]) by amsfep11-int.chello.nl
	ESMTP
	<20031204165043.XWRQ23337.amsfep11-int.chello.nl@sitetronics.com>;
	Thu, 4 Dec 2003 17:50:43 +0100
Date: Thu, 4 Dec 2003 17:50:36 +0100
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v553)
To: Robert Watson <rwatson@freebsd.org>
From: Devon H.O'Dell <dodell@sitetronics.com>
In-Reply-To: <Pine.NEB.3.96L.1031204112630.84430E-100000@fledge.watson.org>
Message-Id: <FBEE0A3E-2679-11D8-B8AD-000502C708CB@sitetronics.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.553)
cc: freebsd-hackers@freebsd.org
Subject: Re: IPFW and the IP stack
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 16:50:49 -0000

On Thursday, December 4, 2003, at 05:28 PM, Robert Watson wrote:

>
> On Thu, 4 Dec 2003, Devon H.O'Dell wrote:
>
>> This is obviously the most logical explanation. There's a good bit of
>> questioning for PFIL_HOOKS to be enabled in generic to allow ipf to be
>> loaded as a module as well. If this is the case, we'll have two
>> firewalls that have their hooks compiled in by default allowing for 
>> them
>> both to be loaded as modules. (Is this still scheduled for 5.2?)
>>
>> But at this point, there's no way to allow one to turn the IPFW hooks
>> *off*. Is there a reason for this?
>>
>> Would it be beneficial (or possible) to hook ipfw into pfil(9)? This
>> way, we could allow the modules to be loaded by default for both and
>> also allow for the total absence of both in the kernel. Sorry if I've
>> missed discussions on this and am being redundant.
>
> Sam Leffler has done a substantial amount of work to push all of the
> various "hacks"" (features?) behind PFIL_HOOKS, and I anticipate we'll
> ship PFIL_HOOKS enabled in GENERIC in 5.3 and use it to plug in most of
> these services.  This also means packages like IPFilter and PF will 
> work
> "out of the box" without a kernel recompile, not to mention offering
> substantial architectural cleanup.
>
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> robert@fledge.watson.org      Senior Research Scientist, McAfee 
> Research

This is great news and definitely something I am interesting in 
contributing to. Sam: how can I help with this?

Kind regards,

Devon H. O'Dell