Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Sep 2012 23:17:26 +0200
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        Gleb Smirnoff <glebius@FreeBSD.org>
Cc:        luigi@FreeBSD.org, "Bjoern A. Zeeb" <bz@FreeBSD.org>, net@FreeBSD.org
Subject:   Re: moving pfil consumers to sys/netpfil
Message-ID:  <20120912211726.GB10974@onelab2.iet.unipi.it>
In-Reply-To: <20120912123457.GC85604@glebius.int.ru>
References:  <20120912123457.GC85604@glebius.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Sep 12, 2012 at 04:34:57PM +0400, Gleb Smirnoff wrote:
>   Hi,
> 
>   we (me and Bjoern) would like to establish a single place
> for all kinds of pfil(9) consumers, for current ones and
> for future as well.
> 
>   The place chosen is sys/netpfil.
> 
>   On first round we'd like to move there our Tier-1 firewalls:
> ipfw and pf. This also includes moving pf out of contrib.
> 
>   The plan of movement is the following:
> 
> sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
> sys/contrib/pf/net/*.h		-> sys/net/		[1]
> contrib/pf/pfctl/*.c		-> sbin/pfctl
> contrib/pf/pfctl/*.h		-> sbin/pfctl
> contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
> contrib/pf/pfctl/*.4		-> share/man/man4
> contrib/pf/pfctl/*.5		-> share/man/man5
> 
> sys/netinet/ipfw		-> sys/netpfil/ipfw

I have two concerns against moving ipfw/

- what do we gain by moving ipfw/ further
  away from its user header files (whose location in netinet/
  is pretty much part of the API so difficult to change) ?

- pfil is just one of the APIs that the ipfw code
  uses to send/receive packets (pfil, netmap for FreeBSD,
  and then netfilter and ndispacket for the other OS).
  The pfil dependencies amount to probably 1% of the code.
     So if we really want to relocate ipfw/ i'd rather move to
  a more generic place (but as far as i know we do not have
  one for subsystems -- dev/ is used for drivers, other stuff
  has generally accumulated under sys/ ,see geom, ofed, netgraph).

> That's all.
> 
> [1] This line is arguable, however the future plan is to:
>     - split pfvar.h into pf.h and pf_var.h
>     - kill if_pfsync.h and if_pflog.h as soon as they stop being ifnets

this i am curious about - are you planning to remove bpf support
for pflog, or just implement it in a different way ?

cheers
luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120912211726.GB10974>