From owner-cvs-all@FreeBSD.ORG Thu Feb 26 21:11:11 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4E2B16A4CE; Thu, 26 Feb 2004 21:11:11 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9731143D2F; Thu, 26 Feb 2004 21:11:11 -0800 (PST) (envelope-from sam@errno.com) Received: from [66.127.85.92] ([66.127.85.92]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id i1R5BB5D009827 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 26 Feb 2004 21:11:11 -0800 (PST) (envelope-from sam@errno.com) In-Reply-To: <20040226015016.B23674@xorpc.icir.org> References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> <20040226015016.B23674@xorpc.icir.org> Mime-Version: 1.0 (Apple Message framework v609) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <5D79345A-68E3-11D8-AE91-000A95AD0668@errno.com> Content-Transfer-Encoding: 7bit From: Sam Leffler Date: Thu, 26 Feb 2004 21:11:14 -0800 To: Luigi Rizzo X-Mailer: Apple Mail (2.609) cc: Max Laier cc: Steve Kargl cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org cc: Tim Robbins Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 05:11:12 -0000 On Feb 26, 2004, at 1:50 AM, Luigi Rizzo wrote: > for what matters, i have posted to -net patches some time ago to extend > ipfw2 to deal with ipv6 packets (thus effectively replacing ipfw6). > No feedback in 6 weeks, to me this looks like lack of interest. > >> problem of having too many firewalls. What I'd like to see is ipfw, >> ipfilter and ip6fw implemented in terms of the pf kernel code, then > > what is the motivation for that ? Features ? > > To me there is no clear winner. > > Honestly, i believe that the microcode-based approach of ipfw2 is > a lot simpler to maintain and extend than the one used in pf > (which resembles a lot the original ipfw), and dropping it would > be a step backward. > ipfw2 has some instructions (e.g. the 'address set') that greatly > simplify the writing of rulesets. > > A definite plus in 'pf' is the in-kernel nat support, but that > could be ported to ipfw2 with approx the same effort needed to port > dummynet to pf. > > So, I'd say the ideal firewall would have the ipfw2 microcode-based > rules and dummynet, and pf's NAT. I don't care what we call it, the > point is that some work is needed in both cases. I agree with Luigi about much of this. I'm happy to see pf brought into the tree because it's actively being developed and folks look to be using it (it looks to me like it's going to become the most often used filtering package for folks with *bsd systems). However I think the "microcode-based" architecture used by ipfw2 and the BSD/OS ipfw code are a better design. I also worry that pf is bloating as people leverage it to do many things only semi-related to packet filtering. Sam