From owner-freebsd-current@FreeBSD.ORG  Sat Apr 13 06:33:32 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 79912120;
 Sat, 13 Apr 2013 06:33:32 +0000 (UTC)
 (envelope-from rpaulo@FreeBSD.org)
Received: from felyko.com (felyko.com [IPv6:2607:f2f8:a528::3:1337:ca7])
 by mx1.freebsd.org (Postfix) with ESMTP id 66C651C9;
 Sat, 13 Apr 2013 06:33:32 +0000 (UTC)
Received: from [IPv6:2601:9:4d00:3c:b4f2:b05c:fbbb:d700] (unknown
 [IPv6:2601:9:4d00:3c:b4f2:b05c:fbbb:d700])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by felyko.com (Postfix) with ESMTPSA id 0CFFB3981E;
 Fri, 12 Apr 2013 23:33:30 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Subject: Re: ipfilter(4) needs maintainer
From: Rui Paulo <rpaulo@FreeBSD.org>
In-Reply-To: <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org>
Date: Fri, 12 Apr 2013 23:33:30 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org>
References: <20130411201805.GD76816@FreeBSD.org>
 <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org>
 <E2F803DD-1F3A-430E-957F-7AB1904CDF42@samsco.org>
To: Scott Long <scottl@samsco.org>
X-Mailer: Apple Mail (2.1503)
Cc: Gleb Smirnoff <glebius@FreeBSD.org>, current@FreeBSD.org, net@FreeBSD.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2013 06:33:32 -0000

On 2013/04/12, at 22:31, Scott Long <scottl@samsco.org> wrote:

> On Apr 12, 2013, at 7:43 PM, Rui Paulo <rpaulo@FreeBSD.org> wrote:
>=20
>> On 2013/04/11, at 13:18, Gleb Smirnoff <glebius@FreeBSD.org> wrote:
>>=20
>>> Lack of maintainer in a near future would lead to bitrot due to =
changes
>>> in other areas of network stack, kernel APIs, etc. This already =
happens,
>>> many changes during 10.0-CURRENT cycle were only compile tested wrt
>>> ipfilter. If we fail to find maintainer, then a correct decision =
would be
>>> to remove ipfilter(4) from the base system before 10.0-RELEASE.
>>=20
>> This has been discussed in the past. Every time someone came up and =
said "I'm still using ipfilter!" and the idea to remove it dies with it.=20=

>> I've been saying we should remove it for 4 years now. Not only it's =
outdated but it also doesn't not fit well in the FreeBSD roadmap. Then =
there's the question of maintainability. We gave the author a commit bit =
so that he could maintain it. That doesn't happen anymore and it sounds =
like he has since moved away from FreeBSD. I cannot find any reason to =
burden another FreeBSD developer with maintaining ipfilter.
>>=20
>=20
> One thing that FreeBSD is bad about (and this really applies to many =
open source projects) when deprecating something is that the developer =
and release engineering groups rarely provide adequate, if any, tools to =
help users transition and cope with the deprecation.  The fear of =
deprecation can be largely overcome by giving these users a clear and =
comprehensive path forward.  Just announcing "ipfilter is going away.  =
EOM" is inadequate and leads to completely justified complaints from =
users.

I agree with the deprecation path, but given the amount of changes that =
happened in the last 6 months, I'm not even sure ipfilter is working =
fine in FreeBSD CURRENT, but I haven't tested it.

> So with that said, would it be possible to write some tutorials on how =
to migrate an ipfilter installation to pf?  Maybe some mechanical syntax =
docs accompanied by a few case studies?  Is it possible for a script to =
automate some of the common mechanical changes?  Also essential is a =
clear document on what goes away with ipfilter and what is gained with =
pf.  Once those tools are written, I suggest announcing that ipfilter is =
available but deprecated/unsupported in FreeBSD 10, and will be removed =
from FreeBSD 11.  Certain people will still pitch a fit about it =
departing, but if the tools are there to help the common users, you'll =
be successful in winning mindshare and general support.


It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, =
but I'm not sure automated tools exist. I'm also not convinced we need =
to write them and I think the issue can be deal with by writing a bunch =
of examples on how to do it manually. Then we can give people 1y to =
switch.

Regards,
--
Rui Paulo