From owner-freebsd-current  Fri Dec 20 17:15:20 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 17E8037B401
	for <current@FreeBSD.ORG>; Fri, 20 Dec 2002 17:15:19 -0800 (PST)
Received: from lemori.mokr.ru (lemori.mokr.ru [212.16.28.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87C7943EEC
	for <current@FreeBSD.ORG>; Fri, 20 Dec 2002 17:15:17 -0800 (PST)
	(envelope-from mokr@mokr.net)
Received: from lemori.mokr.ru (lemori.mokr.ru [212.16.28.194])
	by lemori.mokr.ru (8.12.3/8.12.6/20021103185140) with ESMTP id gBL1F9MI015598;
	Sat, 21 Dec 2002 04:15:09 +0300 (MSK)
	(envelope-from mokr@mokr.net)
Date: Sat, 21 Dec 2002 04:15:09 +0300 (MSK)
From: Sergey Mokryshev <mokr@mokr.net>
X-X-Sender: mokr@lemori.mokr.ru
To: Terry Lambert <tlambert2@mindspring.com>
Cc: Vallo Kallaste <kalts@estpak.ee>, Sam Leffler <sam@errno.com>,
	Hiten Pandya <hiten@unixdaemons.com>,
	Darren Reed <darrenr@reed.wattle.id.au>, <current@FreeBSD.ORG>
Subject: Re: PFIL_HOOKS should be made default in 5.0
In-Reply-To: <3E03BC72.422C971F@mindspring.com>
Message-ID: <20021221040724.G7129-100000@lemori.mokr.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Fri, 20 Dec 2002, Terry Lambert wrote:

> Sergey Mokryshev wrote:
> > Unfortunately nobody cares to look into PR database (conf/44576)
> >
> > In case PFIL_HOOKS really slows IP processing I don't mind keeping this
> > out of GENERIC, however it should be noted in UPDATING and release notes.
> >
> > I did not do any time consuming searches the first time I tried to load
> > ipl.ko, but I've spent some time reading NOTES before upgrading to
> > -CURRENT and I am using IP Filter for about three years now on  Solaris
> > and FreeBSD (thanks, Darren).
> >
> > IMHO GENERIC is not supposed to be fast, but to be useable out-of-the box.
>
> This is a reasonable argument... if it's possible to tune it so
> that it's fast.  Hacking in the IP Filter hooks unonditionally
> for code that can't really be distributed as part of the system
> because of its license, and thus making things slower, with no
> chance to make them faster later, is not my idea of A Really
> Good Thing(tm).
>
> I'm really not a fan of "NO_PFIL_HOOKS" as an option.
>

I'm not talking about NO_PFIL_HOOKS but "options PFIL_HOOKS" in GENERIC.
Too many people may foot shoot themselves trying to upgrade from 4-STABLE
to 5.0.

"dd" in vi is really quick.

We still can remove this options from BOOTMFS kernel to keep it small.


> Probably the correct thing to do is to wire in ipfilter as a
> Netgraph module.
>

AFAIK Solaris, HP-UX and others lack Netgraph support, but support pfil.

Darren may (or may not) explain it further. IMHO it is almost impossible
and pointless (I did not look in the code, just MHO).


Sergey Mokryshev

-- 
Sergey S. Mokryshev <mokr@mokr.net>
SMP453, MOKR-RIPN


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message