ipfilter/ipfw/pf

Wes Peters wes at softweyr.com
Mon Mar 29 21:44:55 PST 2004


On Monday 08 March 2004 07:53 pm, Darren Reed wrote:
> In some mail I received from Wes Peters, sie wrote
>
> > ipfilter I'm not so sure about, Darren doesn't seem to have been all
> > that active lately.  I suspect the locking changes have given him
> > reason to hide, he usually prefers to wait until such states of flux
> > have settled out before he tries to repair what he sees as damage to
> > ipfilter.  ;^)
>
> There's one main reason you don't see regular updates of ipfilter
> and that is every one in the past has introduced an ABI change
> which has hurt users, one way or another.  By minimizing the frequency
> of updating IPFilter, the frequency in which users get hurt is also
> reduced.

That's exactly what I tried (and apparently failed) to write.

> This is a problem that has been impacting FreeBSD & NetBSD users
> for a long time.  IPFilter v4 (now released) has been designed in
> a manner that allows this problem of ABI changes to be eliminated.
> This is a first for the open source community when it comes to
> firewall software and there are no indications from other development
> that suggest anyone else is going to pick up this ball.
>
> Version 4 of IPFilter brings with it many things you would find
> in pf that are not in the current version of IPFilter in the tree.
> It also brings in support for some other experimental ideas that
> have floated around for ipfw, such as coverting filter rules into
> C code and compiling that up for policy enforcement.

Wow.  I'll be happy to see that.  I've been a contented ipfilter user for 
years now, dating before my involvment with DoBox 2000-2002.

> As for locking - IPFIlter has been working MP aware on Solaris for
> years.  Indeed, once the locking primitives became available on
> FreeBSD, IPFilter was able to start using them.  It didn't need
> to wait for "big lock" to change :)  The same was not true for the
> pfil interace but that has since been addressed.
>
> When will IPFilter v4 be in the tree?  Sometime very soon, when
> a 4.1.1 is baked.  When was 4.1 released ?  Mid February (before
> pf was brought into the tree.)  It is being tested on 5.2.1 and
> 5.2, at present.  Are there regular snapshots of -current around
> somewhere to download and install ?

That's great news.  Let me know if you need a beta site on FreeBSD; I'll 
volunteer a couple of poor overworked IT guys at work so you get a real 
test.

As for snapshots, my recommendation is to use cvsup to populate your own 
CVS heirarchy on your development machine so you the logs and complete 
version information at your disposal.  Let me know if you need any help 
setting that up; I'm happy to help.  It's not a major investment in disk 
space -- my local CVSROOT including ports and docs is about 2 GBytes.

-- 

        Where am I, and what am I doing in this handbasket?

Wes Peters                                               wes at softweyr.com


More information about the cvs-all mailing list