Date: Mon, 8 Mar 2004 19:53:45 -0800 (PST) From: darrenr@FreeBSD.ORG (Darren Reed) To: Wes Peters <wes@softweyr.com> Cc: Steve Kargl <sgk@troutmask.apl.washington.edu> Subject: ipfilter/ipfw/pf Message-ID: <20040309035345.6CBC916A4D0@hub.freebsd.org> In-Reply-To: <200402291611.45616.wes@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Wes Peters, sie wrote > > ipfilter I'm not so sure about, Darren doesn't seem to have been all that > active lately. I suspect the locking changes have given him reason to > hide, he usually prefers to wait until such states of flux have settled > out before he tries to repair what he sees as damage to ipfilter. ;^) There's one main reason you don't see regular updates of ipfilter and that is every one in the past has introduced an ABI change which has hurt users, one way or another. By minimizing the frequency of updating IPFilter, the frequency in which users get hurt is also reduced. This is a problem that has been impacting FreeBSD & NetBSD users for a long time. IPFilter v4 (now released) has been designed in a manner that allows this problem of ABI changes to be eliminated. This is a first for the open source community when it comes to firewall software and there are no indications from other development that suggest anyone else is going to pick up this ball. Version 4 of IPFilter brings with it many things you would find in pf that are not in the current version of IPFilter in the tree. It also brings in support for some other experimental ideas that have floated around for ipfw, such as coverting filter rules into C code and compiling that up for policy enforcement. As for locking - IPFIlter has been working MP aware on Solaris for years. Indeed, once the locking primitives became available on FreeBSD, IPFilter was able to start using them. It didn't need to wait for "big lock" to change :) The same was not true for the pfil interace but that has since been addressed. When will IPFilter v4 be in the tree? Sometime very soon, when a 4.1.1 is baked. When was 4.1 released ? Mid February (before pf was brought into the tree.) It is being tested on 5.2.1 and 5.2, at present. Are there regular snapshots of -current around somewhere to download and install ? Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040309035345.6CBC916A4D0>