From owner-cvs-all  Wed Apr 22 16:51:34 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA05312
          for cvs-all-outgoing; Wed, 22 Apr 1998 16:51:34 -0700 (PDT)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA05271
          for <cvs-committers@freebsd.org>; Wed, 22 Apr 1998 23:51:29 GMT
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id XAA03112;
	Wed, 22 Apr 1998 23:51:26 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id BAA13115;
	Thu, 23 Apr 1998 01:51:25 +0200 (MET DST)
Message-ID: <19980423015125.15103@follo.net>
Date: Thu, 23 Apr 1998 01:51:25 +0200
From: Eivind Eklund <eivind@yes.no>
To: darrenr@reed.wattle.id.au
Cc: cvs-committers@FreeBSD.ORG
Subject: Re: cvs commit: src/sys/netinet ip_fw.c
References: <19980422155133.57092@follo.net> <9804222327.AA01355@avalon.reed.wattle.id.au.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <9804222327.AA01355@avalon.reed.wattle.id.au.>; from darrenr@reed.wattle.id.au on Thu, Apr 23, 1998 at 01:50:05AM +1000
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Thu, Apr 23, 1998 at 01:50:05AM +1000, darrenr@reed.wattle.id.au wrote:
> In some email I received from Eivind Eklund, sie wrote:
> > 
> > On Tue, Apr 21, 1998 at 04:31:13PM -0700, Julian Elischer wrote:
> > > why?
> > > if you recompile it with a new structure...
> > 
> > That's what I'm saying - it blow the userland interface.  It means
> > that anything using IPFW has to track the kernel version exactly.
> 
> There are numerous programs like this already - ps, netstat, top, etc.
> 
> I'd say "deal with it".

ps et.al.  aren't that critical.  Sure, it suck that they are that
way, but if ps is broken, _you can still get to the machine_.  This is
not the case with IPFW.  Having a structure-dependent interface for
the firewall is IMO not acceptable.  I'm planning (have started) to do
something about it locally; I'd like to throw that code into FreeBSD,
but I'd like to know I'm not alone in thinking that an abstracted,
slighly slower interface for adding rules is a good change.

> > > I agree on the new interface, but the limit on the structure size
> > > was that each file rule had to fit into an mbuf.
> 
> see NetBSD's pfil(9) for a starting point.

This is nice for an in-kernel interface, but it would be good to have
a unified userland interface, too.

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message