From owner-cvs-all@FreeBSD.ORG Thu Feb 26 01:50:35 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4D7016A4F6; Thu, 26 Feb 2004 01:50:35 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEED543D3F; Thu, 26 Feb 2004 01:50:16 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i1Q9oG9Q023968; Thu, 26 Feb 2004 01:50:16 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i1Q9oGaJ023967; Thu, 26 Feb 2004 01:50:16 -0800 (PST) (envelope-from rizzo) Date: Thu, 26 Feb 2004 01:50:16 -0800 From: Luigi Rizzo To: Tim Robbins Message-ID: <20040226015016.B23674@xorpc.icir.org> References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040226080517.GA29763@cat.robbins.dropbear.id.au>; from tjr@FreeBSD.org on Thu, Feb 26, 2004 at 07:05:17PM +1100 cc: cvs-src@FreeBSD.org cc: Max Laier cc: cvs-all@FreeBSD.org cc: Steve Kargl cc: src-committers@FreeBSD.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 09:50:36 -0000 for what matters, i have posted to -net patches some time ago to extend ipfw2 to deal with ipv6 packets (thus effectively replacing ipfw6). No feedback in 6 weeks, to me this looks like lack of interest. > problem of having too many firewalls. What I'd like to see is ipfw, > ipfilter and ip6fw implemented in terms of the pf kernel code, then what is the motivation for that ? Features ? To me there is no clear winner. Honestly, i believe that the microcode-based approach of ipfw2 is a lot simpler to maintain and extend than the one used in pf (which resembles a lot the original ipfw), and dropping it would be a step backward. ipfw2 has some instructions (e.g. the 'address set') that greatly simplify the writing of rulesets. A definite plus in 'pf' is the in-kernel nat support, but that could be ported to ipfw2 with approx the same effort needed to port dummynet to pf. So, I'd say the ideal firewall would have the ipfw2 microcode-based rules and dummynet, and pf's NAT. I don't care what we call it, the point is that some work is needed in both cases. cheers luigi > eventually phased out after a few releases. With the exception of dummynet, > this should be fairly straightforward. > > If you're worried about the size of the base system, there are plenty > of other rarely-used features that could be removed to "make room" for pf. > > > Tim