On Sun, 15 Dec 2002, Matthew Dillon wrote: > Here's a new patch. But there isn't much of a point if we do not > also disallow ipfw DELETE and FLUSH. And the pipe config commands > as well as anything else that changes the firewall state. Firewalls > are there to protect the systems behind them. I think deleting the > rule that, say, prevents spoofing is as bad as adding a rule that > allows everything through :-(
One other avenue would be to stick a temporary check for ABI compat in installworld before overwriting ipfw. Or for the next few releases, build both ipfw1 and ipfw2 and install both (say, symlinking ipfw -> ipfw2 by default). You could fall back to ipfw1 if ipfw2 returns an error code in rc scripts. I'd prefer this kind of hack in the install/rc process, not in a new API. Regarding civility to developers, there are a ton of frustrating things in any project. I think civility should be the response given to both reasonable and unreasonable people. If they are unreasonable, giving a reasonable response just makes them look bad. -Nate To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message