From owner-freebsd-security Sun Jun 23 12:37:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA16542 for security-outgoing; Sun, 23 Jun 1996 12:37:49 -0700 (PDT) Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA16531; Sun, 23 Jun 1996 12:37:44 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA00300; Sun, 23 Jun 1996 14:35:46 -0500 (CDT) Date: Sun, 23 Jun 1996 14:35:46 -0500 (CDT) Message-Id: <199606231935.OAA00300@zen.nash.org> From: Alex Nash To: nate@sri.MT.net Cc: freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org, phk@FreeBSD.org Subject: Re: IPFW documentation Reply-to: nash@mcs.com Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > You bet. How about this: > > > > - Bring src/sys/netinet/ip_fw.c up to -current level (or very > > close to). > > > > - Bring src/sbin/ipfw/ipfw.c in line with the kernel changes. > > > > - Try and get the man page in shape (the version in -current is > > a lot closer, but not perfect). > > It works for me, but I'm not expert on any of it. However, when I > upgrade my box from 2.1R -> 2.1.5 I will want to know what has changed. > Unfortunately, I can't do that for at least another 2 weeks since I'm > upgrading everything else this week and am taking time off the week > after. I'm not sure how much I can help with the differences, but I guess I would summarize the main differences as: - The default policy is now deny (previously it was allow) - The syntax of ipfw has changed substantially (see ipfw(8) for details) > > When this is done, I'll announce where patches can be found so that as > > many people as possible can bang on it to make sure it's ok. > > Patches for what? I don't think you'll get enough time to get it > reviewed and in before Tuesday, but if you think it can be done go for > it. In any case, the docs and the source should match by the time 2.1.5 > is rolled. In between writing the first message and this one I've merged -stable with -current and am running it at this moment. The main advantages are: - Better error messages, usage output, etc. - Slightly more intuitive (accepts host names, for example) - New features (yes, this can be viewed as a reason *not* to include it in -release, but a I haven't heard any complaints about the code in -current yet) - Updated man page (we can use the one in current) I need to tie up a few loose ends, and then I'll post patches so that it can be reviewed by all. > > That'll > > give me the comfort level I'd need to place these changes into 2.1.5. > > Does this sound viable? > > As long as everythign is in sync. I don't mind. I'd prefer backing out > the new stuff completely out if we can't keep the sources and docs in > sync, since the only thing worse than buggy code is code that's > documented incorrectly. I'm not going to touch backing out of the new stuff, that would be Poul's decision. If the current ipfw implementation stays, I think it would be worthwhile to try and incorporate the most recent man page and cosmetic/convenience fixes to ipfw. To make this happen though, we need reviewers. Any volunteers? :) Alex