From owner-cvs-all@FreeBSD.ORG Thu Feb 26 02:30:49 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 261AF16A4CF for ; Thu, 26 Feb 2004 02:30:49 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B22943D62 for ; Thu, 26 Feb 2004 02:30:48 -0800 (PST) (envelope-from andre@freebsd.org) Received: (qmail 34155 invoked from network); 26 Feb 2004 10:30:46 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 26 Feb 2004 10:30:46 -0000 Message-ID: <403DCACC.2EEA8AD3@freebsd.org> Date: Thu, 26 Feb 2004 11:30:36 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Luigi Rizzo References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> <20040226015016.B23674@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: Max Laier cc: Tim Robbins cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org cc: Steve Kargl Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.hif_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 10:30:49 -0000 Luigi Rizzo wrote: > > for what matters, i have posted to -net patches some time ago to extend > ipfw2 to deal with ipv6 packets (thus effectively replacing ipfw6). > No feedback in 6 weeks, to me this looks like lack of interest. > > > problem of having too many firewalls. What I'd like to see is ipfw, > > ipfilter and ip6fw implemented in terms of the pf kernel code, then > > what is the motivation for that ? Features ? > > To me there is no clear winner. > > Honestly, i believe that the microcode-based approach of ipfw2 is > a lot simpler to maintain and extend than the one used in pf > (which resembles a lot the original ipfw), and dropping it would > be a step backward. > ipfw2 has some instructions (e.g. the 'address set') that greatly > simplify the writing of rulesets. Full double ACK! -- Andre > A definite plus in 'pf' is the in-kernel nat support, but that > could be ported to ipfw2 with approx the same effort needed to port > dummynet to pf. > > So, I'd say the ideal firewall would have the ipfw2 microcode-based > rules and dummynet, and pf's NAT. I don't care what we call it, the > point is that some work is needed in both cases. > > cheers > luigi > > > eventually phased out after a few releases. With the exception of dummynet, > > this should be fairly straightforward. > > > > If you're worried about the size of the base system, there are plenty > > of other rarely-used features that could be removed to "make room" for pf. > > > > > > Tim