From owner-freebsd-net@FreeBSD.ORG Thu Sep 13 16:36:17 2012 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 49A61106564A; Thu, 13 Sep 2012 16:36:17 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id C24158FC0C; Thu, 13 Sep 2012 16:36:16 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8A79425D389C; Thu, 13 Sep 2012 16:36:14 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A24D2BE858D; Thu, 13 Sep 2012 16:36:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id EVDo1JgO58UH; Thu, 13 Sep 2012 16:36:11 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id F1843BE858B; Thu, 13 Sep 2012 16:36:10 +0000 (UTC) Date: Thu, 13 Sep 2012 16:36:10 +0000 (UTC) From: "Bjoern A. Zeeb" To: luigi@FreeBSD.org In-Reply-To: <20120912211726.GB10974@onelab2.iet.unipi.it> Message-ID: References: <20120912123457.GC85604@glebius.int.ru> <20120912211726.GB10974@onelab2.iet.unipi.it> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Gleb Smirnoff , net@FreeBSD.org Subject: Re: moving pfil consumers to sys/netpfil X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 16:36:17 -0000 On Wed, 12 Sep 2012, Luigi Rizzo wrote: > On Wed, Sep 12, 2012 at 04:34:57PM +0400, Gleb Smirnoff wrote: >> Hi, >> >> we (me and Bjoern) would like to establish a single place >> for all kinds of pfil(9) consumers, for current ones and >> for future as well. >> >> The place chosen is sys/netpfil. >> >> On first round we'd like to move there our Tier-1 firewalls: >> ipfw and pf. This also includes moving pf out of contrib. >> >> The plan of movement is the following: >> >> sys/contrib/pf/net/*.c -> sys/netpfil/pf/ >> sys/contrib/pf/net/*.h -> sys/net/ [1] >> contrib/pf/pfctl/*.c -> sbin/pfctl >> contrib/pf/pfctl/*.h -> sbin/pfctl >> contrib/pf/pfctl/pfctl.8 -> sbin/pfctl >> contrib/pf/pfctl/*.4 -> share/man/man4 >> contrib/pf/pfctl/*.5 -> share/man/man5 >> >> sys/netinet/ipfw -> sys/netpfil/ipfw > > I have two concerns against moving ipfw/ > > - what do we gain by moving ipfw/ further > away from its user header files (whose location in netinet/ > is pretty much part of the API so difficult to change) ? What do we gain by having 3 firewalls ... in three different places ... in the tree? The result is that ipfw unconditionally depends on a pf header file .. oops .. that actually is an ALTQ thing *bummer*. > - pfil is just one of the APIs that the ipfw code > uses to send/receive packets (pfil, netmap for FreeBSD, > and then netfilter and ndispacket for the other OS). The other two really don't count for us. > The pfil dependencies amount to probably 1% of the code. > So if we really want to relocate ipfw/ i'd rather move to > a more generic place (but as far as i know we do not have > one for subsystems -- dev/ is used for drivers, other stuff > has generally accumulated under sys/ ,see geom, ofed, netgraph). You may remember we talked about this in the FreeBSD 8.0-CURRENT(?) times when ipfw moved the last time. So suggestions as saying no and not coming up with anything better is not helpful otherwise I'll tell to glebius "sorry for holding you up for 3 days" go head with his initial proposal to also put pf into netinet/pf if you'd prefer that? /bz -- Bjoern A. Zeeb You have to have visions! Sometimes you wonder why people are so reluctant to cleaning things up and finding a good soultion for the next decade. It's no fun probably?