From owner-freebsd-current  Fri Dec 20 16:59: 6 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 11DC137B401
	for <current@freebsd.org>; Fri, 20 Dec 2002 16:59:05 -0800 (PST)
Received: from puffin.mail.pas.earthlink.net (puffin.mail.pas.earthlink.net [207.217.120.139])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8885243EDA
	for <current@freebsd.org>; Fri, 20 Dec 2002 16:59:04 -0800 (PST)
	(envelope-from tlambert2@mindspring.com)
Received: from [216.20.231.174] (helo=mindspring.com)
	by puffin.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128)
	(Exim 3.33 #1)
	id 18PXyU-0005RI-00; Fri, 20 Dec 2002 16:58:42 -0800
Message-ID: <3E03BC72.422C971F@mindspring.com>
Date: Fri, 20 Dec 2002 16:57:22 -0800
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Sergey Mokryshev <mokr@mokr.net>
Cc: Vallo Kallaste <kalts@estpak.ee>, Sam Leffler <sam@errno.com>,
	Hiten Pandya <hiten@unixdaemons.com>,
	Darren Reed <darrenr@reed.wattle.id.au>, current@FreeBSD.ORG
Subject: Re: PFIL_HOOKS should be made default in 5.0
References: <20021221020951.C7129-100000@lemori.mokr.ru>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a402e10d5e3318b96eb32f40b85ad3c050a7ce0e8f8d31aa3f350badd9bab72f9c350badd9bab72f9c
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

Sergey Mokryshev wrote:
> Unfortunately nobody cares to look into PR database (conf/44576)
> 
> In case PFIL_HOOKS really slows IP processing I don't mind keeping this
> out of GENERIC, however it should be noted in UPDATING and release notes.
> 
> I did not do any time consuming searches the first time I tried to load
> ipl.ko, but I've spent some time reading NOTES before upgrading to
> -CURRENT and I am using IP Filter for about three years now on  Solaris
> and FreeBSD (thanks, Darren).
> 
> IMHO GENERIC is not supposed to be fast, but to be useable out-of-the box.

This is a reasonable argument... if it's possible to tune it so
that it's fast.  Hacking in the IP Filter hooks unonditionally
for code that can't really be distributed as part of the system
because of its license, and thus making things slower, with no
chance to make them faster later, is not my idea of A Really
Good Thing(tm).

I'm really not a fan of "NO_PFIL_HOOKS" as an option.

Probably the correct thing to do is to wire in ipfilter as a
Netgraph module.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message