From owner-cvs-all@FreeBSD.ORG Mon Mar 29 21:44:55 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BC1316A4D4; Mon, 29 Mar 2004 21:44:55 -0800 (PST) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7539A43D39; Mon, 29 Mar 2004 21:44:55 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.homeunix.net (66-91-236-204.san.rr.com [66.91.236.204]) by smtp-relay.omnis.com (Postfix) with ESMTP id 6BCDF1880C1A; Mon, 29 Mar 2004 21:44:54 -0800 (PST) From: Wes Peters Organization: Softweyr To: darrenr@FreeBSD.org (Darren Reed) User-Agent: KMail/1.6 References: <20040309035345.6CBC916A4D0@hub.freebsd.org> In-Reply-To: <20040309035345.6CBC916A4D0@hub.freebsd.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200403082246.55841.wes@softweyr.com> cc: cvs-src@FreeBSD.org cc: Max Laier cc: cvs-all@FreeBSD.org cc: Steve Kargl cc: src-committers@FreeBSD.org Subject: Re: ipfilter/ipfw/pf X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 30 Mar 2004 05:44:55 -0000 X-Original-Date: Mon, 8 Mar 2004 22:46:55 -0800 X-List-Received-Date: Tue, 30 Mar 2004 05:44:55 -0000 On Monday 08 March 2004 07:53 pm, Darren Reed wrote: > In some mail I received from Wes Peters, sie wrote > > > ipfilter I'm not so sure about, Darren doesn't seem to have been all > > that active lately. I suspect the locking changes have given him > > reason to hide, he usually prefers to wait until such states of flux > > have settled out before he tries to repair what he sees as damage to > > ipfilter. ;^) > > There's one main reason you don't see regular updates of ipfilter > and that is every one in the past has introduced an ABI change > which has hurt users, one way or another. By minimizing the frequency > of updating IPFilter, the frequency in which users get hurt is also > reduced. That's exactly what I tried (and apparently failed) to write. > This is a problem that has been impacting FreeBSD & NetBSD users > for a long time. IPFilter v4 (now released) has been designed in > a manner that allows this problem of ABI changes to be eliminated. > This is a first for the open source community when it comes to > firewall software and there are no indications from other development > that suggest anyone else is going to pick up this ball. > > Version 4 of IPFilter brings with it many things you would find > in pf that are not in the current version of IPFilter in the tree. > It also brings in support for some other experimental ideas that > have floated around for ipfw, such as coverting filter rules into > C code and compiling that up for policy enforcement. Wow. I'll be happy to see that. I've been a contented ipfilter user for years now, dating before my involvment with DoBox 2000-2002. > As for locking - IPFIlter has been working MP aware on Solaris for > years. Indeed, once the locking primitives became available on > FreeBSD, IPFilter was able to start using them. It didn't need > to wait for "big lock" to change :) The same was not true for the > pfil interace but that has since been addressed. > > When will IPFilter v4 be in the tree? Sometime very soon, when > a 4.1.1 is baked. When was 4.1 released ? Mid February (before > pf was brought into the tree.) It is being tested on 5.2.1 and > 5.2, at present. Are there regular snapshots of -current around > somewhere to download and install ? That's great news. Let me know if you need a beta site on FreeBSD; I'll volunteer a couple of poor overworked IT guys at work so you get a real test. As for snapshots, my recommendation is to use cvsup to populate your own CVS heirarchy on your development machine so you the logs and complete version information at your disposal. Let me know if you need any help setting that up; I'm happy to help. It's not a major investment in disk space -- my local CVSROOT including ports and docs is about 2 GBytes. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com