From owner-freebsd-net@FreeBSD.ORG Sun Apr 14 13:26:00 2013 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0AA583E4; Sun, 14 Apr 2013 13:26:00 +0000 (UTC) (envelope-from scottl@samsco.org) Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57]) by mx1.freebsd.org (Postfix) with ESMTP id C0F23F5E; Sun, 14 Apr 2013 13:25:59 +0000 (UTC) Received: from [127.0.0.1] (Scott4long@pooker.samsco.org [168.103.85.57]) (authenticated bits=0) by pooker.samsco.org (8.14.5/8.14.5) with ESMTP id r3EDPn9K002035; Sun, 14 Apr 2013 07:25:49 -0600 (MDT) (envelope-from scottl@samsco.org) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: ipfilter(4) needs maintainer From: Scott Long In-Reply-To: <516AAD01.1090201@a1poweruser.com> Date: Sun, 14 Apr 2013 07:25:49 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <1D28D213-BB43-4538-A1D5-FC396A7025D5@samsco.org> References: <20130411201805.GD76816@FreeBSD.org> <7D8ACD5C-821D-4505-82E4-02267A7BA4F8@FreeBSD.org> <96D56EAE-E797-429E-AEC9-42B19B048CCC@FreeBSD.org> <516AAD01.1090201@a1poweruser.com> To: Joe X-Mailer: Apple Mail (2.1503) X-Spam-Status: No, score=-50.0 required=3.8 tests=ALL_TRUSTED, T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on pooker.samsco.org Cc: Rui Paulo , current@FreeBSD.org, net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 13:26:00 -0000 On Apr 14, 2013, at 7:20 AM, Joe wrote: > Rui Paulo wrote: >> On 2013/04/12, at 22:31, Scott Long wrote: >>> On Apr 12, 2013, at 7:43 PM, Rui Paulo wrote: >>>=20 >>>> On 2013/04/11, at 13:18, Gleb Smirnoff wrote: >>>>=20 >>>>> Lack of maintainer in a near future would lead to bitrot due to = changes >>>>> in other areas of network stack, kernel APIs, etc. This already = happens, >>>>> many changes during 10.0-CURRENT cycle were only compile tested = wrt >>>>> ipfilter. If we fail to find maintainer, then a correct decision = would be >>>>> to remove ipfilter(4) from the base system before 10.0-RELEASE. >>>> This has been discussed in the past. Every time someone came up and = said "I'm still using ipfilter!" and the idea to remove it dies with it. = I've been saying we should remove it for 4 years now. Not only it's = outdated but it also doesn't not fit well in the FreeBSD roadmap. Then = there's the question of maintainability. We gave the author a commit bit = so that he could maintain it. That doesn't happen anymore and it sounds = like he has since moved away from FreeBSD. I cannot find any reason to = burden another FreeBSD developer with maintaining ipfilter. >>>>=20 >>> One thing that FreeBSD is bad about (and this really applies to many = open source projects) when deprecating something is that the developer = and release engineering groups rarely provide adequate, if any, tools to = help users transition and cope with the deprecation. The fear of = deprecation can be largely overcome by giving these users a clear and = comprehensive path forward. Just announcing "ipfilter is going away. = EOM" is inadequate and leads to completely justified complaints from = users. >> I agree with the deprecation path, but given the amount of changes = that happened in the last 6 months, I'm not even sure ipfilter is = working fine in FreeBSD CURRENT, but I haven't tested it. >>> So with that said, would it be possible to write some tutorials on = how to migrate an ipfilter installation to pf? Maybe some mechanical = syntax docs accompanied by a few case studies? Is it possible for a = script to automate some of the common mechanical changes? Also = essential is a clear document on what goes away with ipfilter and what = is gained with pf. Once those tools are written, I suggest announcing = that ipfilter is available but deprecated/unsupported in FreeBSD 10, and = will be removed from FreeBSD 11. Certain people will still pitch a fit = about it departing, but if the tools are there to help the common users, = you'll be successful in winning mindshare and general support. >> It's not very difficult to switch an ipf.conf/ipnat.conf to a = pf.conf, but I'm not sure automated tools exist. I'm also not convinced = we need to write them and I think the issue can be deal with by writing = a bunch of examples on how to do it manually. Then we can give people 1y = to switch. >> Regards, >> -- >> Rui Paulo >=20 > Wow boys, This conversation has gotten way off track. Looking for a = maintainer for ipfilter is totally different than opening the dead = subject of removing ipfilter from the system. >=20 The project has been in search of a maintainer for ipfilter for many = years. Gleb's most recent plea is just the latest round in this loose = battle. > Look at openbsd's pf, its been forked and is now freebsd maintained. = New upstream versions of Ipfilter have always needed tweaking before it = can be included in the base system. If your unsatisfied with the lack of = bug fixes, then ask the author for special permission to create a fork = if his license don't allow it now. >=20 > The point is: ipfilter is part of FreeBSD and you are never going to = remove it. Accept that fact. >=20 Negative, amigo. Without passionate interest in developing ipfilter, = it's just a roadblock and an eyesore. Abandonware needs to be culled. Scott