From owner-freebsd-net@FreeBSD.ORG  Sat Apr 13 12:03:46 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 62E6C9ED;
 Sat, 13 Apr 2013 12:03:46 +0000 (UTC)
 (envelope-from scottl@samsco.org)
Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57])
 by mx1.freebsd.org (Postfix) with ESMTP id 2585A8D;
 Sat, 13 Apr 2013 12:03:45 +0000 (UTC)
Received: from [127.0.0.1] (Scott4long@pooker.samsco.org [168.103.85.57])
 (authenticated bits=0)
 by pooker.samsco.org (8.14.5/8.14.5) with ESMTP id r3DC3gmX092052;
 Sat, 13 Apr 2013 06:03:42 -0600 (MDT)
 (envelope-from scottl@samsco.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Subject: Re: ipfilter(4) needs maintainer
From: Scott Long <scottl@samsco.org>
In-Reply-To: <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org>
Date: Sat, 13 Apr 2013 06:03:45 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <6DEDD3EA-45C1-4549-AA13-5E4F6674BE3E@samsco.org>
References: <20130411201805.GD76816@FreeBSD.org>
 <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org>
 <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org>
 <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org>
To: Rui Paulo <rpaulo@FreeBSD.org>, Gleb Smirnoff <glebius@FreeBSD.org>
X-Mailer: Apple Mail (2.1503)
X-Spam-Status: No, score=-50.0 required=3.8 tests=ALL_TRUSTED,
 T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.0
X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on pooker.samsco.org
Cc: "current@freebsd.org" <current@FreeBSD.org>,
 "net@freebsd.org" <net@FreeBSD.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2013 12:03:46 -0000


On Apr 13, 2013, at 12:33 AM, Rui Paulo <rpaulo@FreeBSD.org> wrote:

> On 2013/04/12, at 22:31, Scott Long <scottl@samsco.org> wrote:
>=20
>> On Apr 12, 2013, at 7:43 PM, Rui Paulo <rpaulo@FreeBSD.org> wrote:
>>=20
>>> On 2013/04/11, at 13:18, Gleb Smirnoff <glebius@FreeBSD.org> wrote:
>>>=20
>>>> Lack of maintainer in a near future would lead to bitrot due to =
changes
>>>> in other areas of network stack, kernel APIs, etc. This already =
happens,
>>>> many changes during 10.0-CURRENT cycle were only compile tested wrt
>>>> ipfilter. If we fail to find maintainer, then a correct decision =
would be
>>>> to remove ipfilter(4) from the base system before 10.0-RELEASE.
>>>=20
>>> This has been discussed in the past. Every time someone came up and =
said "I'm still using ipfilter!" and the idea to remove it dies with it.=20=

>>> I've been saying we should remove it for 4 years now. Not only it's =
outdated but it also doesn't not fit well in the FreeBSD roadmap. Then =
there's the question of maintainability. We gave the author a commit bit =
so that he could maintain it. That doesn't happen anymore and it sounds =
like he has since moved away from FreeBSD. I cannot find any reason to =
burden another FreeBSD developer with maintaining ipfilter.
>>>=20
>>=20
>> One thing that FreeBSD is bad about (and this really applies to many =
open source projects) when deprecating something is that the developer =
and release engineering groups rarely provide adequate, if any, tools to =
help users transition and cope with the deprecation.  The fear of =
deprecation can be largely overcome by giving these users a clear and =
comprehensive path forward.  Just announcing "ipfilter is going away.  =
EOM" is inadequate and leads to completely justified complaints from =
users.
>=20
> I agree with the deprecation path, but given the amount of changes =
that happened in the last 6 months, I'm not even sure ipfilter is =
working fine in FreeBSD CURRENT, but I haven't tested it.
>=20

You target audience for this isn't people who track CURRENT, it's people =
who are on 7, 8, or 9 and looking to update to 10.x sometime in the =
future.

>> So with that said, would it be possible to write some tutorials on =
how to migrate an ipfilter installation to pf?  Maybe some mechanical =
syntax docs accompanied by a few case studies?  Is it possible for a =
script to automate some of the common mechanical changes?  Also =
essential is a clear document on what goes away with ipfilter and what =
is gained with pf.  Once those tools are written, I suggest announcing =
that ipfilter is available but deprecated/unsupported in FreeBSD 10, and =
will be removed from FreeBSD 11.  Certain people will still pitch a fit =
about it departing, but if the tools are there to help the common users, =
you'll be successful in winning mindshare and general support.
>=20
>=20
> It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, =
but I'm not sure automated tools exist. I'm also not convinced we need =
to write them and I think the issue can be deal with by writing a bunch =
of examples on how to do it manually. Then we can give people 1y to =
switch.
>=20

Please believe me that no matter how trivial you think the switch is, a =
migration guide still needs to be written.

Scott
\=