Date: Sun, 18 Aug 1996 16:42:33 +0200 From: Poul-Henning Kamp <phk@critter.tfs.com> To: Warner Losh <imp@village.org> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, "Ugen J.S.Antsilevich" <ugen@latte.worldbank.org>, hackers@freebsd.org Subject: Re: ipfw vs ipfilter Message-ID: <6538.840379353@critter.tfs.com> In-Reply-To: Your message of "Sun, 18 Aug 1996 10:15:05 MDT." <199608181615.KAA00454@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199608181615.KAA00454@rover.village.org>, Warner Losh writes: >: The only think I have against ditching ipfw and replacing with ipfilter >: is that the later is getting to big for comfort. > >One of our paranoid villagers recently did a code review on ipfw. He >said it was OK, but found a couple of problems. Specifically, the >code lacked comments, there was a bug in the IP header fragment >discarding code (if the offset was one, it would discard the fragment, >but not when it was 2, it should properly discard the fragment for all >offsets > 0 < the size of the headers), it assumed that the user This is a common mistake, only offset==1 needs to be discarded. >He preferred ipfw to ipfilter (which we've been using for a long time) >because ipfw was easier to verify than ipfilter because ipfilter has >added too many bells and whistles for his confort. my sentiment too. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6538.840379353>