From owner-cvs-src@FreeBSD.ORG Thu Feb 26 02:17:19 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3D4B16A4DB for ; Thu, 26 Feb 2004 02:17:19 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B6543D31 for ; Thu, 26 Feb 2004 02:17:18 -0800 (PST) (envelope-from andre@freebsd.org) Received: (qmail 30854 invoked from network); 26 Feb 2004 10:17:17 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 26 Feb 2004 10:17:17 -0000 Message-ID: <403DC7A4.A0131A1@freebsd.org> Date: Thu, 26 Feb 2004 11:17:08 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Tim Robbins References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu> <20040226080517.GA29763@cat.robbins.dropbear.id.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: cvs-src@FreeBSD.org cc: Max Laier cc: cvs-all@FreeBSD.org cc: Steve Kargl cc: src-committers@FreeBSD.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.hif_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 10:17:20 -0000 Tim Robbins wrote: > > On Wed, Feb 25, 2004 at 10:01:26PM -0800, Steve Kargl wrote: > > > On Wed, Feb 25, 2004 at 06:34:13PM -0800, Max Laier wrote: > > > mlaier 2004/02/25 18:34:12 PST > > > > > > FreeBSD src repository > > > > > > Modified files: > > > sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c > > > if_pfsync.h pf.c pf_ioctl.c pf_norm.c > > > pf_osfp.c pf_table.c pfvar.h > > > sys/contrib/pf/netinet in4_cksum.c > > > Log: > > > Bring diff from the security/pf port. This has code been tested as a port > > > for a long time and is run in production use. This is the code present in > > > portversion 2.03 with some additional tweaks. > > > > > > The rather extensive diff accounts for: > > > - locking (to enable pf to work with a giant-free netstack) > > > - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off > > > - conversion from pool(9) to zone(9) > > > - api differences etc. > > > > > > Approved by: bms(mentor) (in general) > > > > > > > Was this import discussed on arch@ or current@? We now have ipfw, ipfilter, > > and pf in the base system. How many more firewall packages are we going > > to import into the base system? Are you going to remove ipfw or ipfilter? > > Is there a NO_PF make.conf knob? > > You forgot about ip6fw. I agree that having 4 firewalls in the base system > is somewhat excessive, but not importing pf is not a solution to the > problem of having too many firewalls. What I'd like to see is ipfw, > ipfilter and ip6fw implemented in terms of the pf kernel code, then > eventually phased out after a few releases. With the exception of dummynet, > this should be fairly straightforward. Ick, please leave ipfw2 in there, I like it much more than pf (especially syntax). If you are going to nuke something then hit ipfilter. It's not really being maintained and not even the current main version. pf pretty much replaces ipfilter people say. > If you're worried about the size of the base system, there are plenty > of other rarely-used features that could be removed to "make room" for pf. -- Andre