Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Sep 2012 16:36:10 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        luigi@FreeBSD.org
Cc:        Gleb Smirnoff <glebius@FreeBSD.org>, net@FreeBSD.org
Subject:   Re: moving pfil consumers to sys/netpfil
Message-ID:  <alpine.BSF.2.00.1209131623350.13080@ai.fobar.qr>
In-Reply-To: <20120912211726.GB10974@onelab2.iet.unipi.it>
References:  <20120912123457.GC85604@glebius.int.ru> <20120912211726.GB10974@onelab2.iet.unipi.it>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Sep 2012, Luigi Rizzo wrote:

> On Wed, Sep 12, 2012 at 04:34:57PM +0400, Gleb Smirnoff wrote:
>>   Hi,
>>
>>   we (me and Bjoern) would like to establish a single place
>> for all kinds of pfil(9) consumers, for current ones and
>> for future as well.
>>
>>   The place chosen is sys/netpfil.
>>
>>   On first round we'd like to move there our Tier-1 firewalls:
>> ipfw and pf. This also includes moving pf out of contrib.
>>
>>   The plan of movement is the following:
>>
>> sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
>> sys/contrib/pf/net/*.h		-> sys/net/		[1]
>> contrib/pf/pfctl/*.c		-> sbin/pfctl
>> contrib/pf/pfctl/*.h		-> sbin/pfctl
>> contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
>> contrib/pf/pfctl/*.4		-> share/man/man4
>> contrib/pf/pfctl/*.5		-> share/man/man5
>>
>> sys/netinet/ipfw		-> sys/netpfil/ipfw
>
> I have two concerns against moving ipfw/
>
> - what do we gain by moving ipfw/ further
>  away from its user header files (whose location in netinet/
>  is pretty much part of the API so difficult to change) ?

What do we gain by having 3 firewalls ... in three different places
... in the tree?

The result is that ipfw unconditionally depends on a pf header file
.. oops .. that actually is an ALTQ thing *bummer*.


> - pfil is just one of the APIs that the ipfw code
>  uses to send/receive packets (pfil, netmap for FreeBSD,
>  and then netfilter and ndispacket for the other OS).

The other two really don't count for us.


>  The pfil dependencies amount to probably 1% of the code.
>     So if we really want to relocate ipfw/ i'd rather move to
>  a more generic place (but as far as i know we do not have
>  one for subsystems -- dev/ is used for drivers, other stuff
>  has generally accumulated under sys/ ,see geom, ofed, netgraph).

You may remember we talked about this in the FreeBSD 8.0-CURRENT(?)
times when ipfw moved the last time.

So suggestions as saying no and not coming up with anything better
is not helpful otherwise I'll tell to glebius "sorry for holding you
up for 3 days" go head with his initial proposal to also put pf into
netinet/pf if you'd prefer that?

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
  Sometimes you wonder why people are so reluctant to cleaning things up
  and finding a good soultion for the next decade. It's no fun probably?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1209131623350.13080>