cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h
if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c
pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c
Bruce M Simpson
bms at spc.org
Fri Feb 27 10:00:24 PST 2004
On Wed, Feb 25, 2004 at 10:01:26PM -0800, Steve Kargl wrote:
> > Log:
> > Bring diff from the security/pf port. This has code been tested as a port
> > for a long time and is run in production use. This is the code present in
> > portversion 2.03 with some additional tweaks.
>
> Was this import discussed on arch@ or current@? We now have ipfw, ipfilter,
> and pf in the base system. How many more firewall packages are we going
> to import into the base system? Are you going to remove ipfw or ipfilter?
> Is there a NO_PF make.conf knob?
PF is not in the base system at this time. The import is the product of
ongoing discussions between several of the network developers; core@
have also been involved (Max was brought onto the team explicitly for
this purpose).
A by-product of the pf import is that other more general fixes have
been ongoing within the network stack which are related to parallelism
in the network stack (removal of MT_TAG on-stack mbufs, for one thing).
The benefits (many) outweigh the disadvantages (few); pf development and
maintenance is extremely active compared to the other firewall
implementations we have. The IPv6 support is also very mature and
extensive. Maintenance of pf outside of the main kernel source tree is
difficult because of the API differences between OpenBSD and FreeBSD.
We do not plan to remove ipfw or ipfilter at this time nor do we have
plans to remove them, until pf receives further evaluation by the user
base, there would be no mandate or grounding for such a decision.
We do however plan to try to smooth the differences between the different
codebases as much as possible, through the use of PFIL_HOOKS (this was
something I discussed with luigi@ and markm@ over lunch in December).
I also have Evil Plans(tm) for pf on FreeBSD.
BMS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 167 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20040226/5ede3339/attachment-0002.bin
More information about the cvs-src
mailing list