From owner-cvs-all@FreeBSD.ORG Wed Feb 25 22:18:51 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20CDD16A4EF; Wed, 25 Feb 2004 22:18:51 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 902E943D1D; Wed, 25 Feb 2004 22:18:50 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 98DFE65480; Thu, 26 Feb 2004 06:18:49 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 53408-03; Thu, 26 Feb 2004 06:18:48 +0000 (GMT) Received: from saboteur.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 2684165418; Thu, 26 Feb 2004 06:18:48 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id DCB1B38; Thu, 26 Feb 2004 06:18:46 +0000 (GMT) Date: Thu, 26 Feb 2004 06:18:46 +0000 From: Bruce M Simpson To: Steve Kargl Message-ID: <20040226061846.GB15864@saboteur.dek.spc.org> Mail-Followup-To: Steve Kargl , Max Laier , src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: <20040226060126.GA70201@troutmask.apl.washington.edu> cc: cvs-src@freebsd.org cc: Max Laier cc: src-committers@freebsd.org cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 06:18:51 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 25, 2004 at 10:01:26PM -0800, Steve Kargl wrote: > > Log: > > Bring diff from the security/pf port. This has code been tested as a = port > > for a long time and is run in production use. This is the code presen= t in > > portversion 2.03 with some additional tweaks. >=20 > Was this import discussed on arch@ or current@? We now have ipfw, ipfilt= er, > and pf in the base system. How many more firewall packages are we going > to import into the base system? Are you going to remove ipfw or ipfilter? > Is there a NO_PF make.conf knob? PF is not in the base system at this time. The import is the product of ongoing discussions between several of the network developers; core@ have also been involved (Max was brought onto the team explicitly for this purpose). A by-product of the pf import is that other more general fixes have been ongoing within the network stack which are related to parallelism in the network stack (removal of MT_TAG on-stack mbufs, for one thing). The benefits (many) outweigh the disadvantages (few); pf development and maintenance is extremely active compared to the other firewall implementations we have. The IPv6 support is also very mature and extensive. Maintenance of pf outside of the main kernel source tree is difficult because of the API differences between OpenBSD and FreeBSD. We do not plan to remove ipfw or ipfilter at this time nor do we have plans to remove them, until pf receives further evaluation by the user base, there would be no mandate or grounding for such a decision. We do however plan to try to smooth the differences between the different codebases as much as possible, through the use of PFIL_HOOKS (this was something I discussed with luigi@ and markm@ over lunch in December). I also have Evil Plans(tm) for pf on FreeBSD. BMS --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFAPY/FueUpAYYNtTsRAl5YAKCWa2J+6FrU/xow9k/O6VSeuG4nOwCfe8P0 QSD6AY6B4vyFLcjpxbuNXfQ= =6cwP -----END PGP SIGNATURE----- --5vNYLRcllDrimb99--