moving pfil consumers to sys/netpfil

Bjoern A. Zeeb bz at FreeBSD.org
Thu Sep 13 16:36:17 UTC 2012 

On Wed, 12 Sep 2012, Luigi Rizzo wrote:

> On Wed, Sep 12, 2012 at 04:34:57PM +0400, Gleb Smirnoff wrote:
>>   Hi,
>>
>>   we (me and Bjoern) would like to establish a single place
>> for all kinds of pfil(9) consumers, for current ones and
>> for future as well.
>>
>>   The place chosen is sys/netpfil.
>>
>>   On first round we'd like to move there our Tier-1 firewalls:
>> ipfw and pf. This also includes moving pf out of contrib.
>>
>>   The plan of movement is the following:
>>
>> sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
>> sys/contrib/pf/net/*.h		-> sys/net/		[1]
>> contrib/pf/pfctl/*.c		-> sbin/pfctl
>> contrib/pf/pfctl/*.h		-> sbin/pfctl
>> contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
>> contrib/pf/pfctl/*.4		-> share/man/man4
>> contrib/pf/pfctl/*.5		-> share/man/man5
>>
>> sys/netinet/ipfw		-> sys/netpfil/ipfw
>
> I have two concerns against moving ipfw/
>
> - what do we gain by moving ipfw/ further
>  away from its user header files (whose location in netinet/
>  is pretty much part of the API so difficult to change) ?

What do we gain by having 3 firewalls ... in three different places
... in the tree?

The result is that ipfw unconditionally depends on a pf header file
.. oops .. that actually is an ALTQ thing *bummer*.


> - pfil is just one of the APIs that the ipfw code
>  uses to send/receive packets (pfil, netmap for FreeBSD,
>  and then netfilter and ndispacket for the other OS).

The other two really don't count for us.


>  The pfil dependencies amount to probably 1% of the code.
>     So if we really want to relocate ipfw/ i'd rather move to
>  a more generic place (but as far as i know we do not have
>  one for subsystems -- dev/ is used for drivers, other stuff
>  has generally accumulated under sys/ ,see geom, ofed, netgraph).

You may remember we talked about this in the FreeBSD 8.0-CURRENT(?)
times when ipfw moved the last time.

So suggestions as saying no and not coming up with anything better
is not helpful otherwise I'll tell to glebius "sorry for holding you
up for 3 days" go head with his initial proposal to also put pf into
netinet/pf if you'd prefer that?

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
  Sometimes you wonder why people are so reluctant to cleaning things up
  and finding a good soultion for the next decade. It's no fun probably?

More information about the freebsd-net mailing list