Date: Fri, 12 Apr 2013 23:33:30 -0700 From: Rui Paulo <rpaulo@FreeBSD.org> To: Scott Long <scottl@samsco.org> Cc: current@FreeBSD.org, net@FreeBSD.org Subject: Re: ipfilter(4) needs maintainer Message-ID: <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org> In-Reply-To: <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org> References: <20130411201805.GD76816@FreeBSD.org> <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org> <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2013/04/12, at 22:31, Scott Long <scottl@samsco.org> wrote: > On Apr 12, 2013, at 7:43 PM, Rui Paulo <rpaulo@FreeBSD.org> wrote: >=20 >> On 2013/04/11, at 13:18, Gleb Smirnoff <glebius@FreeBSD.org> wrote: >>=20 >>> Lack of maintainer in a near future would lead to bitrot due to = changes >>> in other areas of network stack, kernel APIs, etc. This already = happens, >>> many changes during 10.0-CURRENT cycle were only compile tested wrt >>> ipfilter. If we fail to find maintainer, then a correct decision = would be >>> to remove ipfilter(4) from the base system before 10.0-RELEASE. >>=20 >> This has been discussed in the past. Every time someone came up and = said "I'm still using ipfilter!" and the idea to remove it dies with it.=20= >> I've been saying we should remove it for 4 years now. Not only it's = outdated but it also doesn't not fit well in the FreeBSD roadmap. Then = there's the question of maintainability. We gave the author a commit bit = so that he could maintain it. That doesn't happen anymore and it sounds = like he has since moved away from FreeBSD. I cannot find any reason to = burden another FreeBSD developer with maintaining ipfilter. >>=20 >=20 > One thing that FreeBSD is bad about (and this really applies to many = open source projects) when deprecating something is that the developer = and release engineering groups rarely provide adequate, if any, tools to = help users transition and cope with the deprecation. The fear of = deprecation can be largely overcome by giving these users a clear and = comprehensive path forward. Just announcing "ipfilter is going away. = EOM" is inadequate and leads to completely justified complaints from = users. I agree with the deprecation path, but given the amount of changes that = happened in the last 6 months, I'm not even sure ipfilter is working = fine in FreeBSD CURRENT, but I haven't tested it. > So with that said, would it be possible to write some tutorials on how = to migrate an ipfilter installation to pf? Maybe some mechanical syntax = docs accompanied by a few case studies? Is it possible for a script to = automate some of the common mechanical changes? Also essential is a = clear document on what goes away with ipfilter and what is gained with = pf. Once those tools are written, I suggest announcing that ipfilter is = available but deprecated/unsupported in FreeBSD 10, and will be removed = from FreeBSD 11. Certain people will still pitch a fit about it = departing, but if the tools are there to help the common users, you'll = be successful in winning mindshare and general support. It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, = but I'm not sure automated tools exist. I'm also not convinced we need = to write them and I think the issue can be deal with by writing a bunch = of examples on how to do it manually. Then we can give people 1y to = switch. Regards, -- Rui Paulo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96D56EAE-E797-429E-AEC9-42B19B048CCC>