Date: Thu, 26 Feb 2004 06:18:46 +0000 From: Bruce M Simpson <bms@spc.org> To: Steve Kargl <sgk@troutmask.apl.washington.edu> Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <20040226061846.GB15864@saboteur.dek.spc.org> In-Reply-To: <20040226060126.GA70201@troutmask.apl.washington.edu> References: <200402260234.i1Q2YDx1014240@repoman.freebsd.org> <20040226060126.GA70201@troutmask.apl.washington.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 25, 2004 at 10:01:26PM -0800, Steve Kargl wrote: > > Log: > > Bring diff from the security/pf port. This has code been tested as a = port > > for a long time and is run in production use. This is the code presen= t in > > portversion 2.03 with some additional tweaks. >=20 > Was this import discussed on arch@ or current@? We now have ipfw, ipfilt= er, > and pf in the base system. How many more firewall packages are we going > to import into the base system? Are you going to remove ipfw or ipfilter? > Is there a NO_PF make.conf knob? PF is not in the base system at this time. The import is the product of ongoing discussions between several of the network developers; core@ have also been involved (Max was brought onto the team explicitly for this purpose). A by-product of the pf import is that other more general fixes have been ongoing within the network stack which are related to parallelism in the network stack (removal of MT_TAG on-stack mbufs, for one thing). The benefits (many) outweigh the disadvantages (few); pf development and maintenance is extremely active compared to the other firewall implementations we have. The IPv6 support is also very mature and extensive. Maintenance of pf outside of the main kernel source tree is difficult because of the API differences between OpenBSD and FreeBSD. We do not plan to remove ipfw or ipfilter at this time nor do we have plans to remove them, until pf receives further evaluation by the user base, there would be no mandate or grounding for such a decision. We do however plan to try to smooth the differences between the different codebases as much as possible, through the use of PFIL_HOOKS (this was something I discussed with luigi@ and markm@ over lunch in December). I also have Evil Plans(tm) for pf on FreeBSD. BMS --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFAPY/FueUpAYYNtTsRAl5YAKCWa2J+6FrU/xow9k/O6VSeuG4nOwCfe8P0 QSD6AY6B4vyFLcjpxbuNXfQ= =6cwP -----END PGP SIGNATURE----- --5vNYLRcllDrimb99--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226061846.GB15864>