Re: ipfilter(4) needs maintainer

[David Demelier]

2013/4/14 Gary Palmer gpal...@freebsd.org:
 On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
 Is it possible to move ipfilter into a port?

 That may work short term, but the ENOMAINTAINER problem will quickly creep
 up again as kernel APIs change.  If the author has lost interest in
 maintaining the FreeBSD port of ipfilter then unless someone steps forward
 to carry on the work, I don't see much of a future for ipfilter in
 FreeBSD

 Do we honestly need three packet filters?


No, for me only one should be present. I completely understand that
some users still use IPFilter and IPFW but why providing three packet
filters?

The answer should be: use one and document only one. If at the
beginning we started documenting only one all users should have used
the only one present. Now we really need to remove the ancestral
ipfilter and tell people switching to pf(4).

Everything in life change, if we need to maintain all code from the
past we will have a lot of compat code that pollute the full source
tree and we will never improve the code just because of old bits

My $0.02,
Regards

--
Demelier David
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Aleksandr A Babaylov]

On Fri, Apr 19, 2013 at 11:45:57AM +0200, David Demelier wrote:
 2013/4/14 Gary Palmer gpal...@freebsd.org:
  Do we honestly need three packet filters?
 
 No, for me only one should be present. I completely understand that
 some users still use IPFilter and IPFW but why providing three packet
 filters?
 
 The answer should be: use one and document only one. If at the
 beginning we started documenting only one all users should have used
 the only one present. Now we really need to remove the ancestral
 ipfilter and tell people switching to pf(4).
IPFW.
It is more logical and easy to use in complex context.

 Everything in life change, if we need to maintain all code from the
 past we will have a lot of compat code that pollute the full source
 tree and we will never improve the code just because of old bits

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Chris Rees]

On 19 Apr 2013 10:46, David Demelier demelier.da...@gmail.com wrote:

 2013/4/14 Gary Palmer gpal...@freebsd.org:
  On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
  Is it possible to move ipfilter into a port?
 
  That may work short term, but the ENOMAINTAINER problem will quickly
creep
  up again as kernel APIs change.  If the author has lost interest in
  maintaining the FreeBSD port of ipfilter then unless someone steps
forward
  to carry on the work, I don't see much of a future for ipfilter in
  FreeBSD
 
  Do we honestly need three packet filters?
 

 No, for me only one should be present. I completely understand that
 some users still use IPFilter and IPFW but why providing three packet
 filters?

 The answer should be: use one and document only one. If at the
 beginning we started documenting only one all users should have used
 the only one present. Now we really need to remove the ancestral
 ipfilter and tell people switching to pf(4).

 Everything in life change, if we need to maintain all code from the
 past we will have a lot of compat code that pollute the full source
 tree and we will never improve the code just because of old bits

These so called old bits are both maintained, and have different
strengths.

Removing dead unmaintained code yes, but having choice makes transition
easier from other OSes; the fewer parts to change at a time, the better.

Chris
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Ed Maste]

On 15 April 2013 16:12, Cy Schubert cy.schub...@komquats.com wrote:
 The existing license isn't that BSD-friendly either, which is why it lives
 in contrib/. I think the 5.1.X GPLv2 is about the same friendliness as
 Darren's IPF 4.1.X license. As long as it's not in GENERIC should be fine.
 A person can always load it anyway.

There's a plan[1] to remove the remaining GPL components from base
over time.  Updating to the last ipfilter that's under the current
license is probably the path forward, unless it moves out to ports.

[1] https://wiki.freebsd.org/GPLinBase

-Ed
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message CAPyFy2BaoF-7t-skTUPt97hkRgdjO-KbB2-vhjOus-nutNO5Fw@mail.gmail.c
om
, Ed Maste writes:
 On 15 April 2013 16:12, Cy Schubert cy.schub...@komquats.com wrote:
  The existing license isn't that BSD-friendly either, which is why it lives
  in contrib/. I think the 5.1.X GPLv2 is about the same friendliness as
  Darren's IPF 4.1.X license. As long as it's not in GENERIC should be fine.
  A person can always load it anyway.
 
 There's a plan[1] to remove the remaining GPL components from base
 over time.  Updating to the last ipfilter that's under the current
 license is probably the path forward, unless it moves out to ports.
 
 [1] https://wiki.freebsd.org/GPLinBase

That's been pointed out to me. IPF's build/install scripts place header 
files in /usr/include, IMO unacceptable for a port. Going forward we go to 
4.1.34 (still under the old license) then look at options.



-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Andre Oppermann]

On 15.04.2013 19:48, Cy Schubert wrote:

I did consider a port but given it would has to touch bits and pieces of
the source tree (/usr/src), a port would be messy and the decision was made
to work on importing it into base.


Actually it shouldn't touch many if any pieces of src/sys.  Everything should
happen via sorta published API's the other firewall packages use as well.
Most important pfil hooks.  The hardest part probably is to get the locking
right.

Please run changes to src/sys/net* through glebius@ and me (andre@) first
before committing.  In most, if not all cases, it is possible to find a
generic way of doing things or to standardize on a common one for all of
our packet filters.

--
Andre

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Giorgos Keramidas]

On Mon, 15 Apr 2013 12:15:49 -0700, Cy Schubert cy.schub...@komquats.com 
wrote:
 It was pointed out to me that Darren Reed has changed licenses from
 his IP Filter license that's been in IPF since 2005 or so, when he
 joined Sun, to GPLv2 (probably when Darren left when Oracle took over
 Sun). Given that IPF already lives in src/contrib and src/sys/contrib
 due to the 2005 license change, would that be a problem? If it's OK
 then I'll maintain it in src.  If not then a port is in order. Having
 said that, a port would be messy as IPF's own install scripts update
 src/sys/netinet, among other locations.

That would be a big 'no', right there.  Ports should never update kernel
headers.  If not for any other reason, because which kernel?.

I regularly keep 2-3 different source trees of the kernel around, and
build them from non-standard locations.  Having to remember to run
ipfilter_hack.sh on each of them before doing a successful build and
ending up with kernel sources which are always 'unclean svn checkouts'
would suck -- and I suspect I'm not the only one doing builds of kernels
outside of /usr/src.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Slawa Olhovchenkov]

On Fri, Apr 12, 2013 at 11:33:30PM -0700, Rui Paulo wrote:

 It's not very difficult to switch an ipf.conf/ipnat.conf to a
 pf.conf, but I'm not sure automated tools exist. I'm also not
 convinced we need to write them and I think the issue can be deal
 with by writing a bunch of examples on how to do it manually. Then
 we can give people 1y to switch.

Realy? pf do FTP nat translation w/o contexst switching?
Multiple GRE nat translation?
I am use from ipfilter only ipnat.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Lars Engels]

On Sun, Apr 14, 2013 at 07:55:21PM +0100, Joe Holden wrote:
 wishmaster wrote:
 
   --- Original message ---
  From: Gary Palmer gpal...@freebsd.org
  Date: 14 April 2013, 19:06:59
  
   
  On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
  Is it possible to move ipfilter into a port?
  That may work short term, but the ENOMAINTAINER problem will quickly creep
  up again as kernel APIs change.  If the author has lost interest in
  maintaining the FreeBSD port of ipfilter then unless someone steps forward
  to carry on the work, I don't see much of a future for ipfilter in
  FreeBSD
 
  Do we honestly need three packet filters?

  Yes! This is the most clever thought in this thread. Why we need
  3 firewalls? Two packet filters it's excess too.
   We have two packet filters: one with excellent syntax and
   functionality but with outdated bandwidth control mechanism
   (aka ALTQ); another - with nice traffic shaper/prioritization
   (dummynet)/classification (diffused) but with complicated
   implementation  in not trivial tasks.
  May be the next step will be discussion about one packet filter in the 
  system?..
  
  Cheers,
 For non-nat ipfw is still superior in every way, numbered rules (think: 
 scripts), dummynet, much faster than pf, syntax is a lot nicer and 
 predictable...
 
 Does anyone even use ipf? it doesn't even work on Linux anymore, junk it 
 and keep pf+ipfw, job done.

m0n0wall uses ipfilter:

http://m0n0.ch/wall/facts.php


pgpHApUzGDDwu.pgp
Description: PGP signature

Re: ipfilter(4) needs maintainer

[Lev Serebryakov]

Hello, Mark.
You wrote 15 апреля 2013 г., 2:25:07:

 Yes! This is the most clever thought in this thread. Why we need 3
 firewalls? Two packet filters it's excess too. We have two packet filters:
 one with excellent syntax and functionality but with outdated bandwidth
 control mechanism (aka ALTQ); another - with nice traffic
 shaper/prioritization (dummynet)/classification (diffused) but with
 complicated implementation  in not trivial tasks. May be the next step
 will be discussion about one packet filter in the system?..

MM ... and as far as I can tell none of them is currently usable
MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
 IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
render all that NAT nightmare to void. I hope, IPv6 prefix translation
will not be possible never ever!

-- 
// Black Lion AKA Lev Serebryakov l...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:15 PM, Lev Serebryakov l...@freebsd.org wrote:
 Hello, Mark.
 You wrote 15 апреля 2013 г., 2:25:07:

 Yes! This is the most clever thought in this thread. Why we need 3
 firewalls? Two packet filters it's excess too. We have two packet filters:
 one with excellent syntax and functionality but with outdated bandwidth
 control mechanism (aka ALTQ); another - with nice traffic
 shaper/prioritization (dummynet)/classification (diffused) but with
 complicated implementation  in not trivial tasks. May be the next step
 will be discussion about one packet filter in the system?..

 MM ... and as far as I can tell none of them is currently usable
 MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
 MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
  IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
 render all that NAT nightmare to void. I hope, IPv6 prefix translation
 will not be possible never ever!

 --
 // Black Lion AKA Lev Serebryakov l...@freebsd.org


Things like ftp-proxy(8) will need address translation even with IPv6.
Also certain scrub options require a NAT like functionalities.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Lev Serebryakov]

Hello, Kimmo.
You wrote 15 апреля 2013 г., 14:26:40:

 MM ... and as far as I can tell none of them is currently usable
 MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
 MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
  IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
 render all that NAT nightmare to void. I hope, IPv6 prefix translation
 will not be possible never ever!

KP Things like ftp-proxy(8) will need address translation even with IPv6.
  ftp-proxy is solution to help IPv4 NAT. Why do we need it when every
device could have routable IPv6? Of course, _every_ device should be
protected by border firewall (stateful and IPv6-enabled), but FTP
server should have special rules for it to allow traffic pass, not
some proxy.

 And, yes, NAT64 will be useful for sure, but it is another story,
not IPv6-IPv6 translation.

-- 
// Black Lion AKA Lev Serebryakov l...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:32 PM, Lev Serebryakov l...@freebsd.org wrote:
 Hello, Kimmo.
 You wrote 15 апреля 2013 г., 14:26:40:

 MM ... and as far as I can tell none of them is currently usable
 MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
 MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
  IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
 render all that NAT nightmare to void. I hope, IPv6 prefix translation
 will not be possible never ever!

 KP Things like ftp-proxy(8) will need address translation even with IPv6.
   ftp-proxy is solution to help IPv4 NAT. Why do we need it when every
 device could have routable IPv6? Of course, _every_ device should be
 protected by border firewall (stateful and IPv6-enabled), but FTP
 server should have special rules for it to allow traffic pass, not
 some proxy.

  And, yes, NAT64 will be useful for sure, but it is another story,
 not IPv6-IPv6 translation.


You're forgetting set ups where outgoing traffic is controlled by
filter rules, outgoing passive mode ftp needs help from the proxy to
open holes for arbitrary ports. This is not limited to IPv4 and NAT.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Slawa Olhovchenkov]

On Mon, Apr 15, 2013 at 02:15:36PM +0400, Lev Serebryakov wrote:

  Yes! This is the most clever thought in this thread. Why we need 3
  firewalls? Two packet filters it's excess too. We have two packet filters:
  one with excellent syntax and functionality but with outdated bandwidth
  control mechanism (aka ALTQ); another - with nice traffic
  shaper/prioritization (dummynet)/classification (diffused) but with
  complicated implementation  in not trivial tasks. May be the next step
  will be discussion about one packet filter in the system?..
 
 MM ... and as far as I can tell none of them is currently usable
 MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
 MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
  IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
 render all that NAT nightmare to void. I hope, IPv6 prefix translation
 will not be possible never ever!

You disallow anonymization? NAT do anonymisation also.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:38 PM, Slawa Olhovchenkov s...@zxy.spb.ru wrote:
 On Mon, Apr 15, 2013 at 02:15:36PM +0400, Lev Serebryakov wrote:

  Yes! This is the most clever thought in this thread. Why we need 3
  firewalls? Two packet filters it's excess too. We have two packet filters:
  one with excellent syntax and functionality but with outdated bandwidth
  control mechanism (aka ALTQ); another - with nice traffic
  shaper/prioritization (dummynet)/classification (diffused) but with
  complicated implementation  in not trivial tasks. May be the next step
  will be discussion about one packet filter in the system?..

 MM ... and as far as I can tell none of them is currently usable
 MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
 MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
  IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
 render all that NAT nightmare to void. I hope, IPv6 prefix translation
 will not be possible never ever!

 You disallow anonymization? NAT do anonymisation also.
 ___

Please stop it already, NAT has never done any real anonymisation.
it's just one of the myths that just refuse to die. Use a real
anonymiser like Tor if you want to keep your identity hidden.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Lev Serebryakov]

Hello, Kimmo.
You wrote 15 апреля 2013 г., 14:36:27:

  And, yes, NAT64 will be useful for sure, but it is another story,
 not IPv6-IPv6 translation.
KP You're forgetting set ups where outgoing traffic is controlled by
KP filter rules, outgoing passive mode ftp needs help from the proxy to
KP open holes for arbitrary ports. This is not limited to IPv4 and NAT.
   It could  be  done without IPv6 prefix mapping. Yes, firewall should
 have  ability  to expect some connections fro FTP commands (some flag
 on rule, for sure), but it is not prefix rewriting (there are some
 other protocols, which need similar treatment, like SIP)! I was
 shocked by idea of true NAT from IPv6 to IPv6. IPv6 has its own
 problems and complications, but one REALLY GOOD side of it, that we
 don't need NAT for it anymore! Some special tricks in firewall -- yes,
 maybe, for bad-designed, but widely-deployed application level
 protocols, but not address translations!

  I, personally, don't see any problems to enable all outbound
 connections for dedicated FTP server, though.

-- 
// Black Lion AKA Lev Serebryakov l...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:44 PM, Lev Serebryakov l...@freebsd.org wrote:
 Hello, Kimmo.
 You wrote 15 апреля 2013 г., 14:36:27:

  And, yes, NAT64 will be useful for sure, but it is another story,
 not IPv6-IPv6 translation.
 KP You're forgetting set ups where outgoing traffic is controlled by
 KP filter rules, outgoing passive mode ftp needs help from the proxy to
 KP open holes for arbitrary ports. This is not limited to IPv4 and NAT.
It could  be  done without IPv6 prefix mapping. Yes, firewall should
  have  ability  to expect some connections fro FTP commands (some flag
  on rule, for sure), but it is not prefix rewriting (there are some
  other protocols, which need similar treatment, like SIP)! I was
  shocked by idea of true NAT from IPv6 to IPv6. IPv6 has its own
  problems and complications, but one REALLY GOOD side of it, that we
  don't need NAT for it anymore! Some special tricks in firewall -- yes,
  maybe, for bad-designed, but widely-deployed application level
  protocols, but not address translations!

   I, personally, don't see any problems to enable all outbound
  connections for dedicated FTP server, though.


Server side is the easy part, no need for proxy because you know the
passive mode data ports and you can open holes in your firewall using
the known port numbers.

I'm however talking about an ftp client behind a very restrictive
firewall making an IPv6 connection an ftp server that uses passive
mode data ports that can't be known in advance.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Lev Serebryakov]

Hello, Kimmo.
You wrote 15 апреля 2013 г., 14:47:24:

KP I'm however talking about an ftp client behind a very restrictive
KP firewall making an IPv6 connection an ftp server that uses passive
KP mode data ports that can't be known in advance.
  Same solution -- inspection of connections to 21 port, without any
 address translation. And if FTP server uses non-standard control
 port, yes, here is a problem, but it cannot be solved with NAT too
 (or your NAT/firewall should expect each and every connection for FTP
 commands, which is heavy and error-prone task).

-- 
// Black Lion AKA Lev Serebryakov l...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov l...@freebsd.org wrote:
 Hello, Kimmo.
 You wrote 15 апреля 2013 г., 14:47:24:

 KP I'm however talking about an ftp client behind a very restrictive
 KP firewall making an IPv6 connection an ftp server that uses passive
 KP mode data ports that can't be known in advance.
   Same solution -- inspection of connections to 21 port, without any
  address translation. And if FTP server uses non-standard control
  port, yes, here is a problem, but it cannot be solved with NAT too
  (or your NAT/firewall should expect each and every connection for FTP
  commands, which is heavy and error-prone task).


Mmm, are you thinking of the way Linux iptables handles this scenario
with a kernel mode helper? I don't think any of the three packet
filters in FreeBSD has a functionality like that yet.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Slawa Olhovchenkov]

On Mon, Apr 15, 2013 at 02:50:23PM +0400, Lev Serebryakov wrote:

 KP I'm however talking about an ftp client behind a very restrictive
 KP firewall making an IPv6 connection an ftp server that uses passive
 KP mode data ports that can't be known in advance.
   Same solution -- inspection of connections to 21 port, without any
  address translation. And if FTP server uses non-standard control
  port, yes, here is a problem, but it cannot be solved with NAT too
  (or your NAT/firewall should expect each and every connection for FTP
  commands, which is heavy and error-prone task).

Not heavy.
But error-prone, yes.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[sthaug]

  MM ... and as far as I can tell none of them is currently usable
  MM on an IPv6-only FreeBSD (like protecting a host with sshguard),
  MM none of them supports stateful NAT64, nor IPv6 prefix translation :(
   IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will
  render all that NAT nightmare to void. I hope, IPv6 prefix translation
  will not be possible never ever!
 
 KP Things like ftp-proxy(8) will need address translation even with IPv6.
   ftp-proxy is solution to help IPv4 NAT. Why do we need it when every
 device could have routable IPv6? Of course, _every_ device should be
 protected by border firewall (stateful and IPv6-enabled), but FTP
 server should have special rules for it to allow traffic pass, not
 some proxy.
 
  And, yes, NAT64 will be useful for sure, but it is another story,
 not IPv6-IPv6 translation.

We are *way* too late in the game to completely avoid IPv6 NAT. Various
flavors already exist in the form of RFCs, e.g. NPTv6:

http://tools.ietf.org/html/rfc6296

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Daniel Kalchev]

On 14.04.13 21:55, Joe Holden wrote:
For non-nat ipfw is still superior in every way, numbered rules 
(think: scripts), dummynet, much faster than pf, syntax is a lot nicer 
and predictable...


And, best of all, it still is buggy. At lest, it's tables handling is 
unusable.


I have been very stubborn IPFW user for very long time, but finally gave 
up in favor of PF. Nothing like that ever since. I am also not convinced 
IPFW is any faster than PF.


Daniel
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Mon, Apr 15, 2013 at 1:54 PM, Kimmo Paasiala kpaas...@gmail.com wrote:
 On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov l...@freebsd.org wrote:
 Hello, Kimmo.
 You wrote 15 апреля 2013 г., 14:47:24:

 KP I'm however talking about an ftp client behind a very restrictive
 KP firewall making an IPv6 connection an ftp server that uses passive
 KP mode data ports that can't be known in advance.
   Same solution -- inspection of connections to 21 port, without any
  address translation. And if FTP server uses non-standard control
  port, yes, here is a problem, but it cannot be solved with NAT too
  (or your NAT/firewall should expect each and every connection for FTP
  commands, which is heavy and error-prone task).


 Mmm, are you thinking of the way Linux iptables handles this scenario
 with a kernel mode helper? I don't think any of the three packet
 filters in FreeBSD has a functionality like that yet.

 -Kimmo

To elaborate on this, Linux iptables has a related qualifier for
rules and the related traffic is identified by kernel mode helpers,
ftp is one example for their use.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Mark Martinec]

On Monday April 15 2013 12:32:37 Lev Serebryakov wrote:
 And, yes, NAT64 will be useful for sure, but it is another story,
 not IPv6-IPv6 translation.

Fear not, NPT66 prefix translation is stateless,
this is nothing like NAT44 / NAPT.

On Monday April 15 2013 12:51:00 sth...@nethelp.no wrote:
 We are *way* too late in the game to completely avoid IPv6 NAT.
 Various flavors already exist in the form of RFCs, e.g. NPTv6:
   http://tools.ietf.org/html/rfc6296

Prefix translation is useful for SOHO or branch offices with
more than one uplink, unless one wants to invest into AS and BGP
or start building tunnels:

  http://blog.ioshints.info/2011/12/we-just-might-need-nat66.html


Mark
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Olivier Cochard-Labbé]

 I have been very stubborn IPFW user for very long time, but finally gave up
 in favor of PF. Nothing like that ever since. I am also not convinced IPFW
 is any faster than PF.

Hi Daniel,

I know that measuring PPS for a firewall is not enought for comparing
firewall performance (rfc3511 details lot's of the parameters, but on
my smalldirty bench lab with an old server
(one core Intel Pentium4 3.00GHz with a dual NIC 82546GB connected to
the PCI-X Bus) I've got theses differences (value are in Kpps, small
packet size) on FreeBSD 9.1:
- forwarding-only: 405 Kpps
- IPFW enabled: 320 Kpps
- PF enabled: 274 Kpps

IPFW was configured with only one line: add 3000 allow ip from any to any
And PF with one line too: pass

= On this simple test, IPFW is faster than PF regarding the forwarding rate.

But without ipfwsync feature, IPFW is useless for our use case...

Regards,

Olivier
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message alpine.bsf.2.00.1304140946440.10...@wonkity.com, Warren Block 
writ
es:
 On Sun, 14 Apr 2013, Chris Rees wrote:
 
  On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
  2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:
 
  Maybe something else, but whatever it is, it should be done.  If you and 
 Gleb don't want to do this, I will.
 
  I already started writing a guide. See here for a very incomplete version:
 
  http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
 
  If you're really serious about deprecating ipf, we absolutely have to
  remove instructions for it from the Handbook as soon as possible;
  every time a new user comes across instructions you're going to have
  yet another annoyed party.
 
  http://www.bayofrum.net/~crees/patches/remove-ipf.diff
 
 This should probably be done like we did for CVS for ports.  Mark it as 
 deprecated, then remove the Handbook section once the code is removed.

Sorry, I'm coming in late on this discussion. I'm willing to take it on as 
I've been planning on updating it for a while. Would a src committer like 
to take me on for mentorship?


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[cpet]

Ok, seems someone has taken the job.


 In message alpine.bsf.2.00.1304140946440.10...@wonkity.com, Warren Block
 writ
 es:
 On Sun, 14 Apr 2013, Chris Rees wrote:

  On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
  2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:
 
  Maybe something else, but whatever it is, it should be done.  If you
 and
 Gleb don't want to do this, I will.
 
  I already started writing a guide. See here for a very incomplete
 version:
 
  http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
 
  If you're really serious about deprecating ipf, we absolutely have to
  remove instructions for it from the Handbook as soon as possible;
  every time a new user comes across instructions you're going to have
  yet another annoyed party.
 
  http://www.bayofrum.net/~crees/patches/remove-ipf.diff

 This should probably be done like we did for CVS for ports.  Mark it as
 deprecated, then remove the Handbook section once the code is removed.

 Sorry, I'm coming in late on this discussion. I'm willing to take it on as
 I've been planning on updating it for a while. Would a src committer like
 to take me on for mentorship?


 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org



___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[cpet]

However it would of been better if said person asked me as I already
offered to take it on but whatever.


 In message alpine.bsf.2.00.1304140946440.10...@wonkity.com, Warren Block
 writ
 es:
 On Sun, 14 Apr 2013, Chris Rees wrote:

  On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
  2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:
 
  Maybe something else, but whatever it is, it should be done.  If you
 and
 Gleb don't want to do this, I will.
 
  I already started writing a guide. See here for a very incomplete
 version:
 
  http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
 
  If you're really serious about deprecating ipf, we absolutely have to
  remove instructions for it from the Handbook as soon as possible;
  every time a new user comes across instructions you're going to have
  yet another annoyed party.
 
  http://www.bayofrum.net/~crees/patches/remove-ipf.diff

 This should probably be done like we did for CVS for ports.  Mark it as
 deprecated, then remove the Handbook section once the code is removed.

 Sorry, I'm coming in late on this discussion. I'm willing to take it on as
 I've been planning on updating it for a while. Would a src committer like
 to take me on for mentorship?


 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org



___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

I've been planning on taking on IP Filter for quite some time. 
Unfortunately I've left my src commit bit lapse (my ports commit bit is 
alive and well though) thus I'm looking for a mentor. In addition I'm 
working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
would be fine too.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


In message 8adc8f0961dd8f7972300837db7403ce.squir...@ma.sdf.org, 
c...@sdf.org
 writes:
 Ok, seems someone has taken the job.
 
 
  In message alpine.bsf.2.00.1304140946440.10...@wonkity.com, Warren Block
  writ
  es:
  On Sun, 14 Apr 2013, Chris Rees wrote:
 
   On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
   2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:
  
   Maybe something else, but whatever it is, it should be done.  If you
  and
  Gleb don't want to do this, I will.
  
   I already started writing a guide. See here for a very incomplete
  version:
  
   http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
  
   If you're really serious about deprecating ipf, we absolutely have to
   remove instructions for it from the Handbook as soon as possible;
   every time a new user comes across instructions you're going to have
   yet another annoyed party.
  
   http://www.bayofrum.net/~crees/patches/remove-ipf.diff
 
  This should probably be done like we did for CVS for ports.  Mark it as
  deprecated, then remove the Handbook section once the code is removed.
 
  Sorry, I'm coming in late on this discussion. I'm willing to take it on as
  I've been planning on updating it for a while. Would a src committer like
  to take me on for mentorship?
 
 
  --
  Cheers,
  Cy Schubert cy.schub...@komquats.com
  FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org
 
 
  ___
  freebsd-current@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-current
  To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 
 
 


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Adrian Chadd]

ACER WMI/ACPI? Sure, i'll mentor you if you're going to do _that_.



Adrian

On 15 April 2013 09:55, Cy Schubert cy.schub...@komquats.com wrote:
 I've been planning on taking on IP Filter for quite some time.
 Unfortunately I've left my src commit bit lapse (my ports commit bit is
 alive and well though) thus I'm looking for a mentor. In addition I'm
 working on an ACER WMI/ACPI kld. One mentor would be preferred but two
 would be fine too.


 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


 In message 8adc8f0961dd8f7972300837db7403ce.squir...@ma.sdf.org,
 c...@sdf.org
  writes:
 Ok, seems someone has taken the job.


  In message alpine.bsf.2.00.1304140946440.10...@wonkity.com, Warren Block
  writ
  es:
  On Sun, 14 Apr 2013, Chris Rees wrote:
 
   On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
   2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:
  
   Maybe something else, but whatever it is, it should be done.  If you
  and
  Gleb don't want to do this, I will.
  
   I already started writing a guide. See here for a very incomplete
  version:
  
   http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
  
   If you're really serious about deprecating ipf, we absolutely have to
   remove instructions for it from the Handbook as soon as possible;
   every time a new user comes across instructions you're going to have
   yet another annoyed party.
  
   http://www.bayofrum.net/~crees/patches/remove-ipf.diff
 
  This should probably be done like we did for CVS for ports.  Mark it as
  deprecated, then remove the Handbook section once the code is removed.
 
  Sorry, I'm coming in late on this discussion. I'm willing to take it on as
  I've been planning on updating it for a while. Would a src committer like
  to take me on for mentorship?
 
 
  --
  Cheers,
  Cy Schubert cy.schub...@komquats.com
  FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org
 
 
  ___
  freebsd-current@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-current
  To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 




 ___
 freebsd-...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

2013/04/15 9:55、Cy Schubert cy.schub...@komquats.com のメッセージ:

 I've been planning on taking on IP Filter for quite some time. 
 Unfortunately I've left my src commit bit lapse (my ports commit bit is 
 alive and well though) thus I'm looking for a mentor. In addition I'm 
 working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
 would be fine too.

What are your plans regarding ipfilter? I remain unconvinced that it should be 
in the base system. Perhaps you can work on it as a port?

Why do you want to work on something that people have been trying to remove 
since 2005?

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo 
writes:
 2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com 
 $B$N%a%C%;!%8(B:
 
  I've been planning on taking on IP Filter for quite some time. 
  Unfortunately I've left my src commit bit lapse (my ports commit bit is 
  alive and well though) thus I'm looking for a mentor. In addition I'm 
  working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
  would be fine too.
 
 What are your plans regarding ipfilter? I remain unconvinced that it should b
 e in the base system. Perhaps you can work on it as a port?

The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
done much with IPF while employed with Sun. Since then there has been some 
development that is long overdue for HEAD.

I'm not sure if I'd MFC it into 9 or not.

I did consider a port but given it would has to touch bits and pieces of 
the source tree (/usr/src), a port would be messy and the decision was made 
to work on importing it into base.

 
 Why do you want to work on something that people have been trying to remove s
 ince 2005?

I and others have been using it in FreeBSD for over decade. For the longest 
of time we'd use a common set of rules across a FreeBSD and Solaris farm 
(using ipfmeta, makefiles, rsync, rdist, and a local CVS repo). 
Interoperability with other systems which use IP Filter is a plus. If 
there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would 
be a loss.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Sam Fourman Jr.]

Thank you to those that have expressed interest in maintaining IP Filter..

My thoughts are, could we consider putting a option in the kernel config,
and leaving it off by default for GENERIC?
I think this is a acceptable compromise, considering some people wish for
it to be removed.

Sam Fourman Jr.


On Mon, Apr 15, 2013 at 1:48 PM, Cy Schubert cy.schub...@komquats.comwrote:

 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo
 writes:
  2013/04/15 9:55、Cy Schubert cy.schub...@komquats.com のメッセージ:
 
   I've been planning on taking on IP Filter for quite some time.
   Unfortunately I've left my src commit bit lapse (my ports commit bit is
   alive and well though) thus I'm looking for a mentor. In addition I'm
   working on an ACER WMI/ACPI kld. One mentor would be preferred but two
   would be fine too.
 
  What are your plans regarding ipfilter? I remain unconvinced that it
 should b
  e in the base system. Perhaps you can work on it as a port?

 The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't
 done much with IPF while employed with Sun. Since then there has been some
 development that is long overdue for HEAD.

 I'm not sure if I'd MFC it into 9 or not.

 I did consider a port but given it would has to touch bits and pieces of
 the source tree (/usr/src), a port would be messy and the decision was made
 to work on importing it into base.

 
  Why do you want to work on something that people have been trying to
 remove s
  ince 2005?

 I and others have been using it in FreeBSD for over decade. For the longest
 of time we'd use a common set of rules across a FreeBSD and Solaris farm
 (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo).
 Interoperability with other systems which use IP Filter is a plus. If
 there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would
 be a loss.


 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org




-- 

Sam Fourman Jr.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Sam Fourman Jr.]

To my knowledge it is already off by default and you need these options to
enable it

options IPFILTER
options IPFILTER_LOG

so to those that wish to have it removed from base, if it has a maintainer
whats the trouble?



On Mon, Apr 15, 2013 at 2:49 PM, Sam Fourman Jr. sfour...@gmail.com wrote:


 Thank you to those that have expressed interest in maintaining IP Filter..

 My thoughts are, could we consider putting a option in the kernel config,
 and leaving it off by default for GENERIC?
 I think this is a acceptable compromise, considering some people wish for
 it to be removed.

 Sam Fourman Jr.


 On Mon, Apr 15, 2013 at 1:48 PM, Cy Schubert cy.schub...@komquats.comwrote:

 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo
 writes:
  2013/04/15 9:55、Cy Schubert cy.schub...@komquats.com のメッセージ:
 
   I've been planning on taking on IP Filter for quite some time.
   Unfortunately I've left my src commit bit lapse (my ports commit bit
 is
   alive and well though) thus I'm looking for a mentor. In addition I'm
   working on an ACER WMI/ACPI kld. One mentor would be preferred but two
   would be fine too.
 
  What are your plans regarding ipfilter? I remain unconvinced that it
 should b
  e in the base system. Perhaps you can work on it as a port?

 The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't
 done much with IPF while employed with Sun. Since then there has been some
 development that is long overdue for HEAD.

 I'm not sure if I'd MFC it into 9 or not.

 I did consider a port but given it would has to touch bits and pieces of
 the source tree (/usr/src), a port would be messy and the decision was
 made
 to work on importing it into base.

 
  Why do you want to work on something that people have been trying to
 remove s
  ince 2005?

 I and others have been using it in FreeBSD for over decade. For the
 longest
 of time we'd use a common set of rules across a FreeBSD and Solaris farm
 (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo).
 Interoperability with other systems which use IP Filter is a plus. If
 there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would
 be a loss.


 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 




 --

 Sam Fourman Jr.




-- 

Sam Fourman Jr.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message a2450361-d9e9-498f-ad44-846563ef0...@yahoo.com, Scott Long 
writes:
 
 On Apr 15, 2013, at 11:48 AM, Cy Schubert cy.schub...@komquats.com wrote:
 
  In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo 
  writes:
  2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com 
  $B$N%a%C%;!%8
 (B:
  
  I've been planning on taking on IP Filter for quite some time. 
  Unfortunately I've left my src commit bit lapse (my ports commit bit is 
  alive and well though) thus I'm looking for a mentor. In addition I'm 
  working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
  would be fine too.
  
  What are your plans regarding ipfilter? I remain unconvinced that it shoul
 d b
  e in the base system. Perhaps you can work on it as a port?
  
  The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
  done much with IPF while employed with Sun. Since then there has been some 
  development that is long overdue for HEAD.
  
  I'm not sure if I'd MFC it into 9 or not.
  
  I did consider a port but given it would has to touch bits and pieces of 
  the source tree (/usr/src), a port would be messy and the decision was made
  
  to work on importing it into base.
  
  
  Why do you want to work on something that people have been trying to remov
 e s
  ince 2005?
  
  I and others have been using it in FreeBSD for over decade. For the longest
  
  of time we'd use a common set of rules across a FreeBSD and Solaris farm 
  (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo). 
  Interoperability with other systems which use IP Filter is a plus. If 
  there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would 
  be a loss.
  
 
 
 If you're committed to maintaining IPFilter, that's great.  However, it can't
  be
 left to stagger along in a  zombie state with nothing more than good intentio
 ns
 from well meaning people.  What is your timeline for getting it back into sha
 pe
 and re-integrating yourself into the committer community?

I would think this would be my top priority right now. I'd like to see it 
at the latest level in HEAD. I would like to MFC to 9-STABLE at some point.

Given that IPF already lives in src/contrib and src/sys/contrib, would the 
change in License from Darren Reed's own not so BSD friendly IPF license to 
GPLv2 be of concern. I recall there was a lot of concern over IPF's license 
change at the time. (FreeBSD moved it to contrib while OpenBSD removed it 
completely and wrote PF -- I'm not sure what NetBSD did).


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org



___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Jung-uk Kim]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2013-04-15 15:27:55 -0400, Cy Schubert wrote:
 In message a2450361-d9e9-498f-ad44-846563ef0...@yahoo.com, Scott
 Long writes:
 
 On Apr 15, 2013, at 11:48 AM, Cy Schubert
 cy.schub...@komquats.com wrote:
 
 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com,
 Rui Paulo writes:
 2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com
 $B$N%a%C%;!%8
 (B:
 
 I've been planning on taking on IP Filter for quite some
 time. Unfortunately I've left my src commit bit lapse (my
 ports commit bit is alive and well though) thus I'm looking
 for a mentor. In addition I'm working on an ACER WMI/ACPI
 kld. One mentor would be preferred but two would be fine
 too.
 
 What are your plans regarding ipfilter? I remain unconvinced
 that it shoul
 d b
 e in the base system. Perhaps you can work on it as a port?
 
 The initial plan was to import IP Filter 5.1.2 into HEAD.
 darrenr@ hadn't done much with IPF while employed with Sun.
 Since then there has been some development that is long overdue
 for HEAD.
 
 I'm not sure if I'd MFC it into 9 or not.
 
 I did consider a port but given it would has to touch bits and
 pieces of the source tree (/usr/src), a port would be messy and
 the decision was made
 
 to work on importing it into base.
 
 
 Why do you want to work on something that people have been
 trying to remov
 e s
 ince 2005?
 
 I and others have been using it in FreeBSD for over decade. For
 the longest
 
 of time we'd use a common set of rules across a FreeBSD and
 Solaris farm (using ipfmeta, makefiles, rsync, rdist, and a
 local CVS repo). Interoperability with other systems which use
 IP Filter is a plus. If there's a maintainer, it only makes
 FreeBSD richer. Losing IP Filter would be a loss.
 
 
 
 If you're committed to maintaining IPFilter, that's great.
 However, it can't be left to stagger along in a  zombie state
 with nothing more than good intentio ns from well meaning people.
 What is your timeline for getting it back into sha pe and
 re-integrating yourself into the committer community?
 
 I would think this would be my top priority right now. I'd like to
 see it at the latest level in HEAD. I would like to MFC to 9-STABLE
 at some point.
 
 Given that IPF already lives in src/contrib and src/sys/contrib,
 would the change in License from Darren Reed's own not so BSD
 friendly IPF license to GPLv2 be of concern. I recall there was a
 lot of concern over IPF's license change at the time. (FreeBSD
 moved it to contrib while OpenBSD removed it completely and wrote
 PF -- I'm not sure what NetBSD did).

FYI, NetBSD has PF from OpenBSD:

http://www.netbsd.org/docs/network/pf.html

Also, they upgraded it to the latest GPL'ed sources recently (and
moved to a different directory):

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/external/bsd/ipf/netinet/?only_with_tag=MAIN

Now they have their own packet filter, called NPF:

http://mail-index.netbsd.org/netbsd-announce/2012/10/17/msg000161.html

They have more choices now. :-)

Jung-uk Kim
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJRbFjtAAoJECXpabHZMqHOSFkIAK72iLtzb1py01/A+SbX8ejn
hi5eh8ri6QQ2Kh4K96b/R5oHk5PoGNpc7xX7Kbp1wyJ2OrdNvAPnElwMDpPCjnRC
rKPXiS25Km9D1e18E2pLB4iTweb/AOf87bGRz6skm3Rq0D4XOX9dwRndj1vqRxmH
V/Rrdlzprx4EvDmgmfAfSZwGTGit6fVXqHHj5LtONURNKe4qAliVIdxB1vQFQBqB
BnHF1gN7tIJVCrn+4yKSVsv6vqRSXp5LOIRBw2ooURKEkkKqVIapboEU+pGitN4g
dbVZkoBol7V+LfqBBpsG7JH+OboUvdvWJ7hqeNtAV4YerBBBbePvx9D5iehmRUk=
=/mAG
-END PGP SIGNATURE-
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Gleb Smirnoff]

  Cy,

  good news that you volunteered to work on this!

On Mon, Apr 15, 2013 at 10:48:43AM -0700, Cy Schubert wrote:
C The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
C done much with IPF while employed with Sun. Since then there has been some 
C development that is long overdue for HEAD.

The problem is that v5.1.2 is under GPL. I'm afraid we should update
to v4.1.34 only, and then stick to it. So the nearest TODO list
is smth like:

- update to v4.1.34
- cleanse old kernel APIs (timeout(9) at least)
- fix VIMAGE
- review open PRs (some might should be closed)
- since we do not expect more imports, may be cleanse non-FreeBSD stuff
  from there?
- maybe move it into sys/netpfil? Need to consult imp@ on that. License
  is very closed to BSD, but has some additions.

C I'm not sure if I'd MFC it into 9 or not.

This is up to you, but be adviced that head already differs from stable/9,
for example network stack is entirely in network byte order. So merging
would require a lot of attention and testing.

C I did consider a port but given it would has to touch bits and pieces of 
C the source tree (/usr/src), a port would be messy and the decision was made 
C to work on importing it into base.

Port isn't an option. IPFilter is too close to many kernel APIs, that
can change quickly.

-- 
Totus tuus, Glebius.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message 20130415195544.gy76...@freebsd.org, Gleb Smirnoff writes:
   Cy,
 
   good news that you volunteered to work on this!
 
 On Mon, Apr 15, 2013 at 10:48:43AM -0700, Cy Schubert wrote:
 C The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
 C done much with IPF while employed with Sun. Since then there has been some
  
 C development that is long overdue for HEAD.
 
 The problem is that v5.1.2 is under GPL. I'm afraid we should update
 to v4.1.34 only, and then stick to it. So the nearest TODO list
 is smth like:
 
 - update to v4.1.34
 - cleanse old kernel APIs (timeout(9) at least)
 - fix VIMAGE
 - review open PRs (some might should be closed)
 - since we do not expect more imports, may be cleanse non-FreeBSD stuff
   from there?
 - maybe move it into sys/netpfil? Need to consult imp@ on that. License
   is very closed to BSD, but has some additions.

A small step in the right direction is a good thing. I'll run the patches 
by you first.

The existing license isn't that BSD-friendly either, which is why it lives 
in contrib/. I think the 5.1.X GPLv2 is about the same friendliness as 
Darren's IPF 4.1.X license. As long as it's not in GENERIC should be fine. 
A person can always load it anyway.

 
 C I'm not sure if I'd MFC it into 9 or not.
 
 This is up to you, but be adviced that head already differs from stable/9,
 for example network stack is entirely in network byte order. So merging
 would require a lot of attention and testing.
 
 C I did consider a port but given it would has to touch bits and pieces of 
 C the source tree (/usr/src), a port would be messy and the decision was mad
 e 
 C to work on importing it into base.
 
 Port isn't an option. IPFilter is too close to many kernel APIs, that
 can change quickly.

Agreed. I looked at it a few months ago and determined that src is where it 
should be. (I put it aside, getting ACER WMI/ACPI working on my new Acer 
laptop was my priority at the time.)


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org




___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

The desire to remove it stems from the inability to give it adequate 
engineering 
service as the network stack evolves.  Simply taking it out of a kernel config 
file
doesn't address that problem at all.  If it's going to stay in FreeBSD at all, 
it
needs to be maintained.  This could be set about a fair amount of stuff in 
FreeBSD,
but IPFilter stands out since there's a high rate of needed change happening in
the network stack, and it shouldn't be left to rot nor to be a stumbling block 
for
those changes.

Scott

On Apr 15, 2013, at 12:49 PM, Sam Fourman Jr. sfour...@gmail.com wrote:

 Thank you to those that have expressed interest in maintaining IP Filter..
 
 My thoughts are, could we consider putting a option in the kernel config,
 and leaving it off by default for GENERIC?
 I think this is a acceptable compromise, considering some people wish for
 it to be removed.
 
 Sam Fourman Jr.
 
 
 On Mon, Apr 15, 2013 at 1:48 PM, Cy Schubert cy.schub...@komquats.comwrote:
 
 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo
 writes:
 2013/04/15 9:55、Cy Schubert cy.schub...@komquats.com のメッセージ:
 
 I've been planning on taking on IP Filter for quite some time.
 Unfortunately I've left my src commit bit lapse (my ports commit bit is
 alive and well though) thus I'm looking for a mentor. In addition I'm
 working on an ACER WMI/ACPI kld. One mentor would be preferred but two
 would be fine too.
 
 What are your plans regarding ipfilter? I remain unconvinced that it
 should b
 e in the base system. Perhaps you can work on it as a port?
 
 The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't
 done much with IPF while employed with Sun. Since then there has been some
 development that is long overdue for HEAD.
 
 I'm not sure if I'd MFC it into 9 or not.
 
 I did consider a port but given it would has to touch bits and pieces of
 the source tree (/usr/src), a port would be messy and the decision was made
 to work on importing it into base.
 
 
 Why do you want to work on something that people have been trying to
 remove s
 ince 2005?
 
 I and others have been using it in FreeBSD for over decade. For the longest
 of time we'd use a common set of rules across a FreeBSD and Solaris farm
 (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo).
 Interoperability with other systems which use IP Filter is a plus. If
 there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would
 be a loss.
 
 
 --
 Cheers,
 Cy Schubert cy.schub...@komquats.com
 FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org
 
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 
 
 
 
 -- 
 
 Sam Fourman Jr.
 ___
 freebsd-...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 15, 2013, at 11:48 AM, Cy Schubert cy.schub...@komquats.com wrote:

 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo 
 writes:
 2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com 
 $B$N%a%C%;!%8(B:
 
 I've been planning on taking on IP Filter for quite some time. 
 Unfortunately I've left my src commit bit lapse (my ports commit bit is 
 alive and well though) thus I'm looking for a mentor. In addition I'm 
 working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
 would be fine too.
 
 What are your plans regarding ipfilter? I remain unconvinced that it should b
 e in the base system. Perhaps you can work on it as a port?
 
 The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
 done much with IPF while employed with Sun. Since then there has been some 
 development that is long overdue for HEAD.
 
 I'm not sure if I'd MFC it into 9 or not.
 
 I did consider a port but given it would has to touch bits and pieces of 
 the source tree (/usr/src), a port would be messy and the decision was made 
 to work on importing it into base.
 
 
 Why do you want to work on something that people have been trying to remove s
 ince 2005?
 
 I and others have been using it in FreeBSD for over decade. For the longest 
 of time we'd use a common set of rules across a FreeBSD and Solaris farm 
 (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo). 
 Interoperability with other systems which use IP Filter is a plus. If 
 there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would 
 be a loss.
 


If you're committed to maintaining IPFilter, that's great.  However, it can't be
left to stagger along in a  zombie state with nothing more than good intentions
from well meaning people.  What is your timeline for getting it back into shape
and re-integrating yourself into the committer community?

Scott
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

It was pointed out to me that Darren Reed has changed licenses from his IP 
Filter license that's been in IPF since 2005 or so, when he joined Sun, to 
GPLv2 (probably when Darren left when Oracle took over Sun). Given that IPF 
already lives in src/contrib and src/sys/contrib due to the 2005 license 
change, would that be a problem? If it's OK then I'll maintain it in src. 
If not then a port is in order. Having said that, a port would be messy as 
IPF's own install scripts update src/sys/netinet, among other locations.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


In message d6ade9c6-868a-4524-a6d7-4eb88f9d6...@yahoo.com, Scott Long 
writes:
 The desire to remove it stems from the inability to give it adequate engineer
 ing 
 service as the network stack evolves.  Simply taking it out of a kernel confi
 g file
 doesn't address that problem at all.  If it's going to stay in FreeBSD at all
 , it
 needs to be maintained.  This could be set about a fair amount of stuff in Fr
 eeBSD,
 but IPFilter stands out since there's a high rate of needed change happening 
 in
 the network stack, and it shouldn't be left to rot nor to be a stumbling bloc
 k for
 those changes.
 
 Scott
 
 On Apr 15, 2013, at 12:49 PM, Sam Fourman Jr. sfour...@gmail.com wrote:
 
  Thank you to those that have expressed interest in maintaining IP Filter..
  
  My thoughts are, could we consider putting a option in the kernel config,
  and leaving it off by default for GENERIC?
  I think this is a acceptable compromise, considering some people wish for
  it to be removed.
  
  Sam Fourman Jr.
  
  
  On Mon, Apr 15, 2013 at 1:48 PM, Cy Schubert cy.schub...@komquats.comwrot
 e:
  
  In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo
  writes:
  2013/04/15 9:55、Cy Schubert cy.schub...@komquats.com 
  のメッセージ:
  
  I've been planning on taking on IP Filter for quite some time.
  Unfortunately I've left my src commit bit lapse (my ports commit bit is
  alive and well though) thus I'm looking for a mentor. In addition I'm
  working on an ACER WMI/ACPI kld. One mentor would be preferred but two
  would be fine too.
  
  What are your plans regarding ipfilter? I remain unconvinced that it
  should b
  e in the base system. Perhaps you can work on it as a port?
  
  The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't
  done much with IPF while employed with Sun. Since then there has been some
  development that is long overdue for HEAD.
  
  I'm not sure if I'd MFC it into 9 or not.
  
  I did consider a port but given it would has to touch bits and pieces of
  the source tree (/usr/src), a port would be messy and the decision was mad
 e
  to work on importing it into base.
  
  
  Why do you want to work on something that people have been trying to
  remove s
  ince 2005?
  
  I and others have been using it in FreeBSD for over decade. For the longes
 t
  of time we'd use a common set of rules across a FreeBSD and Solaris farm
  (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo).
  Interoperability with other systems which use IP Filter is a plus. If
  there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would
  be a loss.
  
  
  --
  Cheers,
  Cy Schubert cy.schub...@komquats.com
  FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org
  
  
  ___
  freebsd-current@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-current
  To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
  
  
  
  
  -- 
  
  Sam Fourman Jr.
  ___
  freebsd-...@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-net
  To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
 
 


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 15, 2013, at 1:27 PM, Cy Schubert cy.schub...@komquats.com wrote:

 In message a2450361-d9e9-498f-ad44-846563ef0...@yahoo.com, Scott Long 
 writes:
 
 On Apr 15, 2013, at 11:48 AM, Cy Schubert cy.schub...@komquats.com wrote:
 
 In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com, Rui Paulo 
 writes:
 2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com 
 $B$N%a%C%;!%8
 (B:
 
 I've been planning on taking on IP Filter for quite some time. 
 Unfortunately I've left my src commit bit lapse (my ports commit bit is 
 alive and well though) thus I'm looking for a mentor. In addition I'm 
 working on an ACER WMI/ACPI kld. One mentor would be preferred but two 
 would be fine too.
 
 What are your plans regarding ipfilter? I remain unconvinced that it shoul
 d b
 e in the base system. Perhaps you can work on it as a port?
 
 The initial plan was to import IP Filter 5.1.2 into HEAD. darrenr@ hadn't 
 done much with IPF while employed with Sun. Since then there has been some 
 development that is long overdue for HEAD.
 
 I'm not sure if I'd MFC it into 9 or not.
 
 I did consider a port but given it would has to touch bits and pieces of 
 the source tree (/usr/src), a port would be messy and the decision was made
 
 to work on importing it into base.
 
 
 Why do you want to work on something that people have been trying to remov
 e s
 ince 2005?
 
 I and others have been using it in FreeBSD for over decade. For the longest
 
 of time we'd use a common set of rules across a FreeBSD and Solaris farm 
 (using ipfmeta, makefiles, rsync, rdist, and a local CVS repo). 
 Interoperability with other systems which use IP Filter is a plus. If 
 there's a maintainer, it only makes FreeBSD richer. Losing IP Filter would 
 be a loss.
 
 
 
 If you're committed to maintaining IPFilter, that's great.  However, it can't
 be
 left to stagger along in a  zombie state with nothing more than good intentio
 ns
 from well meaning people.  What is your timeline for getting it back into sha
 pe
 and re-integrating yourself into the committer community?
 
 I would think this would be my top priority right now. I'd like to see it 
 at the latest level in HEAD. I would like to MFC to 9-STABLE at some point.
 
 Given that IPF already lives in src/contrib and src/sys/contrib, would the 
 change in License from Darren Reed's own not so BSD friendly IPF license to 
 GPLv2 be of concern. I recall there was a lot of concern over IPF's license 
 change at the time. (FreeBSD moved it to contrib while OpenBSD removed it 
 completely and wrote PF -- I'm not sure what NetBSD did).
 


I would assume that the license change would be OK, especially since the other
option is to remove it (or let it continue to rot and be an eyesore) but I'll 
defer to those like
Gleb and Rui with a more vested interest in it.

Scott

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message 516c58ed.40...@freebsd.org, Jung-uk Kim writes:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 2013-04-15 15:27:55 -0400, Cy Schubert wrote:
  In message a2450361-d9e9-498f-ad44-846563ef0...@yahoo.com, Scott
  Long writes:
  
  On Apr 15, 2013, at 11:48 AM, Cy Schubert
  cy.schub...@komquats.com wrote:
  
  In message 18df99b0-6e66-4906-a233-7778451b8...@felyko.com,
  Rui Paulo writes:
  2013/04/15 9:55$B!(BCy Schubert cy.schub...@komquats.com
  $B$N%a%C%;!%8
  (B:
  
  I've been planning on taking on IP Filter for quite some
  time. Unfortunately I've left my src commit bit lapse (my
  ports commit bit is alive and well though) thus I'm looking
  for a mentor. In addition I'm working on an ACER WMI/ACPI
  kld. One mentor would be preferred but two would be fine
  too.
  
  What are your plans regarding ipfilter? I remain unconvinced
  that it shoul
  d b
  e in the base system. Perhaps you can work on it as a port?
  
  The initial plan was to import IP Filter 5.1.2 into HEAD.
  darrenr@ hadn't done much with IPF while employed with Sun.
  Since then there has been some development that is long overdue
  for HEAD.
  
  I'm not sure if I'd MFC it into 9 or not.
  
  I did consider a port but given it would has to touch bits and
  pieces of the source tree (/usr/src), a port would be messy and
  the decision was made
  
  to work on importing it into base.
  
  
  Why do you want to work on something that people have been
  trying to remov
  e s
  ince 2005?
  
  I and others have been using it in FreeBSD for over decade. For
  the longest
  
  of time we'd use a common set of rules across a FreeBSD and
  Solaris farm (using ipfmeta, makefiles, rsync, rdist, and a
  local CVS repo). Interoperability with other systems which use
  IP Filter is a plus. If there's a maintainer, it only makes
  FreeBSD richer. Losing IP Filter would be a loss.
  
  
  
  If you're committed to maintaining IPFilter, that's great.
  However, it can't be left to stagger along in a  zombie state
  with nothing more than good intentio ns from well meaning people.
  What is your timeline for getting it back into sha pe and
  re-integrating yourself into the committer community?
  
  I would think this would be my top priority right now. I'd like to
  see it at the latest level in HEAD. I would like to MFC to 9-STABLE
  at some point.
  
  Given that IPF already lives in src/contrib and src/sys/contrib,
  would the change in License from Darren Reed's own not so BSD
  friendly IPF license to GPLv2 be of concern. I recall there was a
  lot of concern over IPF's license change at the time. (FreeBSD
  moved it to contrib while OpenBSD removed it completely and wrote
  PF -- I'm not sure what NetBSD did).
 
 FYI, NetBSD has PF from OpenBSD:
 
 http://www.netbsd.org/docs/network/pf.html
 
 Also, they upgraded it to the latest GPL'ed sources recently (and
 moved to a different directory):
 
 http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/external/bsd/ipf/netinet/?only_wi
 th_tag=MAIN
 
 Now they have their own packet filter, called NPF:
 
 http://mail-index.netbsd.org/netbsd-announce/2012/10/17/msg000161.html
 
 They have more choices now. :-)

I'm always (or usually) one for more than fewer choices.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Gleb Smirnoff]

On Mon, Apr 15, 2013 at 04:47:33PM -, c...@sdf.org wrote:
c However it would of been better if said person asked me as I already
c offered to take it on but whatever.

More manpower - the better. Why can't you work together?


-- 
Totus tuus, Glebius.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Gleb Smirnoff]

On Mon, Apr 15, 2013 at 01:32:48PM -0600, Scott Long wrote:
S  Given that IPF already lives in src/contrib and src/sys/contrib, would the 
S  change in License from Darren Reed's own not so BSD friendly IPF license 
to 
S  GPLv2 be of concern. I recall there was a lot of concern over IPF's 
license 
S  change at the time. (FreeBSD moved it to contrib while OpenBSD removed it 
S  completely and wrote PF -- I'm not sure what NetBSD did).
S 
S I would assume that the license change would be OK, especially since the 
other
S option is to remove it (or let it continue to rot and be an eyesore) but 
I'll defer to those like
S Gleb and Rui with a more vested interest in it.

I'm not a licensing guru, so I can't tell whether GPL ipfilter can live in
src/ and if it can, where should it be. So I expect someone else to comment
on licensing.

My personal, biased towards BSD, wish, is to import only the last BSD-licensed
version, move it out of contrib to netpfil, remove zillions of compatibility
(towards other OSes) code and just maintain it. Maintaining means fixing bugs
and catching up on kernel changes.

We can ask Darren whether we can switch the license to pure BSD. Since he 
himself
switched the entire license to GPL, the insisting on the following clause
seems strange, and expect he won't insist on it.

 The licence and distribution terms for any publically available version or
 derivative of this code cannot be changed. i.e. this code cannot simply be
 copied, in part or in whole, and put under another distribution licence
 [including the GNU Public Licence.]

-- 
Totus tuus, Glebius.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Cy Schubert]

In message 20130415212826.ga76...@freebsd.org, Gleb Smirnoff writes:
 On Mon, Apr 15, 2013 at 04:47:33PM -, c...@sdf.org wrote:
 c However it would of been better if said person asked me as I already
 c offered to take it on but whatever.

Sorry, I didn't see your posting. I had a permissions issue on my gateway 
which caused the loss of a few emails (still sorting through the list of 
bounces).

 
 More manpower - the better. Why can't you work together?

I don't mind working with others. I know there's more than enough to keep 
everyone busy. My main goal is to make sure IPF doesn't disappear nor go 
into disrepair and to make sure it's well maintained. Let's work together.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Chris Rees]

On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:
 2013/04/13 16:01、Scott Long scott4l...@yahoo.com のメッセージ:

 Maybe something else, but whatever it is, it should be done.  If you and 
 Gleb don't want to do this, I will.

 I already started writing a guide. See here for a very incomplete version:

 http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html

If you're really serious about deprecating ipf, we absolutely have to
remove instructions for it from the Handbook as soon as possible;
every time a new user comes across instructions you're going to have
yet another annoyed party.

http://www.bayofrum.net/~crees/patches/remove-ipf.diff

Chris
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Miroslav Lachman]

Rui Paulo wrote:
 2013/04/13 16:01、Scott Longscott4l...@yahoo.com  のメッセージ:
 
 Maybe something else, but whatever it is, it should be done.  If you and 
 Gleb don't want to do this, I will.
 
 I already started writing a guide. See here for a very incomplete version:
 
 http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html

1.1 ipftest
PF rules can be checked with pfctl -n:
-n  Do not actually load rules, just parse them

For example:
pfctl -nvf /etc/pf.conf.tmp


3 Examples
3.1  Filtering

ipf.conf and pf.conf has the same syntax for basic filtering rules, so
you can use it on the right side to:

block in on le0 proto tcp from 10.1.1.1/32 to any

pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A


Miroslav Lachman
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Joe]

Rui Paulo wrote:

On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:


On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:


On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:


Lack of maintainer in a near future would lead to bitrot due to changes
in other areas of network stack, kernel APIs, etc. This already happens,
many changes during 10.0-CURRENT cycle were only compile tested wrt
ipfilter. If we fail to find maintainer, then a correct decision would be
to remove ipfilter(4) from the base system before 10.0-RELEASE.
This has been discussed in the past. Every time someone came up and said I'm still using ipfilter! and the idea to remove it dies with it. 
I've been saying we should remove it for 4 years now. Not only it's outdated but it also doesn't not fit well in the FreeBSD roadmap. Then there's the question of maintainability. We gave the author a commit bit so that he could maintain it. That doesn't happen anymore and it sounds like he has since moved away from FreeBSD. I cannot find any reason to burden another FreeBSD developer with maintaining ipfilter.



One thing that FreeBSD is bad about (and this really applies to many open source 
projects) when deprecating something is that the developer and release engineering groups 
rarely provide adequate, if any, tools to help users transition and cope with the 
deprecation.  The fear of deprecation can be largely overcome by giving these users a 
clear and comprehensive path forward.  Just announcing ipfilter is going away.  
EOM is inadequate and leads to completely justified complaints from users.


I agree with the deprecation path, but given the amount of changes that 
happened in the last 6 months, I'm not even sure ipfilter is working fine in 
FreeBSD CURRENT, but I haven't tested it.


So with that said, would it be possible to write some tutorials on how to 
migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
accompanied by a few case studies?  Is it possible for a script to automate 
some of the common mechanical changes?  Also essential is a clear document on 
what goes away with ipfilter and what is gained with pf.  Once those tools are 
written, I suggest announcing that ipfilter is available but 
deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
Certain people will still pitch a fit about it departing, but if the tools are 
there to help the common users, you'll be successful in winning mindshare and 
general support.



It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but I'm 
not sure automated tools exist. I'm also not convinced we need to write them 
and I think the issue can be deal with by writing a bunch of examples on how to 
do it manually. Then we can give people 1y to switch.

Regards,
--
Rui Paulo



Wow boys, This conversation has gotten way off track. Looking for a 
maintainer for ipfilter is totally different than opening the dead 
subject of removing ipfilter from the system.


Look at openbsd's pf, its been forked and is now freebsd maintained. New 
upstream versions of Ipfilter have always needed tweaking before it can 
be included in the base system. If your unsatisfied with the lack of bug 
fixes, then ask the author for special permission to create a fork if 
his license don't allow it now.


The point is: ipfilter is part of FreeBSD and you are never going to 
remove it. Accept that fact.


So look for alternate ways to address your concerns about ipfilter bug 
fixs getting applied and/or updating ipfilter to function with vimage or 
changes to the Freebsd network stack and kernel APIs.


Finding a maintainer is the purpose of this post, and the solution to 
your concerns, so lets stay on subject, OK.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 14, 2013, at 7:20 AM, Joe fb...@a1poweruser.com wrote:

 Rui Paulo wrote:
 On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:
 On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:
 
 On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
 
 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.
 This has been discussed in the past. Every time someone came up and said 
 I'm still using ipfilter! and the idea to remove it dies with it. I've 
 been saying we should remove it for 4 years now. Not only it's outdated 
 but it also doesn't not fit well in the FreeBSD roadmap. Then there's the 
 question of maintainability. We gave the author a commit bit so that he 
 could maintain it. That doesn't happen anymore and it sounds like he has 
 since moved away from FreeBSD. I cannot find any reason to burden another 
 FreeBSD developer with maintaining ipfilter.
 
 One thing that FreeBSD is bad about (and this really applies to many open 
 source projects) when deprecating something is that the developer and 
 release engineering groups rarely provide adequate, if any, tools to help 
 users transition and cope with the deprecation.  The fear of deprecation 
 can be largely overcome by giving these users a clear and comprehensive 
 path forward.  Just announcing ipfilter is going away.  EOM is inadequate 
 and leads to completely justified complaints from users.
 I agree with the deprecation path, but given the amount of changes that 
 happened in the last 6 months, I'm not even sure ipfilter is working fine in 
 FreeBSD CURRENT, but I haven't tested it.
 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document 
 on what goes away with ipfilter and what is gained with pf.  Once those 
 tools are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning 
 mindshare and general support.
 It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but 
 I'm not sure automated tools exist. I'm also not convinced we need to write 
 them and I think the issue can be deal with by writing a bunch of examples 
 on how to do it manually. Then we can give people 1y to switch.
 Regards,
 --
 Rui Paulo
 
 Wow boys, This conversation has gotten way off track. Looking for a 
 maintainer for ipfilter is totally different than opening the dead subject of 
 removing ipfilter from the system.
 

The project has been in search of a maintainer for ipfilter for many years.  
Gleb's most recent plea is just the latest round in this loose battle.

 Look at openbsd's pf, its been forked and is now freebsd maintained. New 
 upstream versions of Ipfilter have always needed tweaking before it can be 
 included in the base system. If your unsatisfied with the lack of bug fixes, 
 then ask the author for special permission to create a fork if his license 
 don't allow it now.
 
 The point is: ipfilter is part of FreeBSD and you are never going to remove 
 it. Accept that fact.
 

Negative, amigo.  Without passionate interest in developing ipfilter, it's just 
a roadblock and an eyesore.  Abandonware needs to be culled.

Scott

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Odhiambo Washington]

I do not stand in any good stead to comment on this, but I have used
IPFilter more extensively than PF when it comes to FreeBSD and packet
manipulations. As a user, what I can say is this:

1. The only firewall that seems 'native' to FreeBSD is ipfw and I believe
it works very well for some users who are able to adapt to it's syntax.
2. PF is being felt to be part of FreeBSD, but it too lags far behind
OpenBSD implementation - almost like it's unmaintained. There has been
debates about this which were never concluded. Most of you will agree with
me on this.

 IPFilter is obviously NOT going to make it in 10.x and never releases
because of those changes which have led to this thread/debate.

So my take is there is a very simple answer/solution to this debate, which
conforms to the K.I.S.S principle:

3. There is NO need to look for a maintainer. Simply DEPRECATE IPFilter
from 10.x and put out a BIG Notice/Billboard somewhere where whoever needs
to run FreeBSD because of IPFilter will find it. I doubt there is such a
person anywhere because there are firewall implementations out there that
can address this. Just put it out somewhere that IPFilter is NOT AVAILABLE
on FreeBSD 10.x upwards and go ahead and remove it from the system. Nobody
will complain. If anyone does, tell them that IPFilter is supported on
FreeBSD upto 8.x (or is it 9.x? On my 9.x systems I use PF).

4. It's pretty easy for a newcomer to adopt and adapt to a firewall that is
properly supported. Newcomers don't have much choice anyway. They decide to
go with a system after finding out that it meets their requirements.

Let's remember that there are other Unix variants out there with Firewall
implementations too.

I hope this helps you big boys settle this debate.




On 14 April 2013 16:25, Scott Long sco...@samsco.org wrote:


 On Apr 14, 2013, at 7:20 AM, Joe fb...@a1poweruser.com wrote:

  Rui Paulo wrote:
  On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:
  On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:
 
  On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
 
  Lack of maintainer in a near future would lead to bitrot due to
 changes
  in other areas of network stack, kernel APIs, etc. This already
 happens,
  many changes during 10.0-CURRENT cycle were only compile tested wrt
  ipfilter. If we fail to find maintainer, then a correct decision
 would be
  to remove ipfilter(4) from the base system before 10.0-RELEASE.
  This has been discussed in the past. Every time someone came up and
 said I'm still using ipfilter! and the idea to remove it dies with it.
 I've been saying we should remove it for 4 years now. Not only it's
 outdated but it also doesn't not fit well in the FreeBSD roadmap. Then
 there's the question of maintainability. We gave the author a commit bit so
 that he could maintain it. That doesn't happen anymore and it sounds like
 he has since moved away from FreeBSD. I cannot find any reason to burden
 another FreeBSD developer with maintaining ipfilter.
 
  One thing that FreeBSD is bad about (and this really applies to many
 open source projects) when deprecating something is that the developer and
 release engineering groups rarely provide adequate, if any, tools to help
 users transition and cope with the deprecation.  The fear of deprecation
 can be largely overcome by giving these users a clear and comprehensive
 path forward.  Just announcing ipfilter is going away.  EOM is inadequate
 and leads to completely justified complaints from users.
  I agree with the deprecation path, but given the amount of changes that
 happened in the last 6 months, I'm not even sure ipfilter is working fine
 in FreeBSD CURRENT, but I haven't tested it.
  So with that said, would it be possible to write some tutorials on how
 to migrate an ipfilter installation to pf?  Maybe some mechanical syntax
 docs accompanied by a few case studies?  Is it possible for a script to
 automate some of the common mechanical changes?  Also essential is a clear
 document on what goes away with ipfilter and what is gained with pf.  Once
 those tools are written, I suggest announcing that ipfilter is available
 but deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD
 11.  Certain people will still pitch a fit about it departing, but if the
 tools are there to help the common users, you'll be successful in winning
 mindshare and general support.
  It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf,
 but I'm not sure automated tools exist. I'm also not convinced we need to
 write them and I think the issue can be deal with by writing a bunch of
 examples on how to do it manually. Then we can give people 1y to switch.
  Regards,
  --
  Rui Paulo
 
  Wow boys, This conversation has gotten way off track. Looking for a
 maintainer for ipfilter is totally different than opening the dead subject
 of removing ipfilter from the system.
 

 The project has been in search of a maintainer 

Re: ipfilter(4) needs maintainer

[Warren Block]

On Sun, 14 Apr 2013, Chris Rees wrote:


On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:

2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:


Maybe something else, but whatever it is, it should be done.  If you and Gleb 
don't want to do this, I will.


I already started writing a guide. See here for a very incomplete version:

http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html


If you're really serious about deprecating ipf, we absolutely have to
remove instructions for it from the Handbook as soon as possible;
every time a new user comes across instructions you're going to have
yet another annoyed party.

http://www.bayofrum.net/~crees/patches/remove-ipf.diff


This should probably be done like we did for CVS for ports.  Mark it as 
deprecated, then remove the Handbook section once the code is removed.


Is it possible to move ipfilter into a port?
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Odhiambo Washington]

It's NOT possible, because someone has to handle the kernel hooks, which is
the contention.
Mark as deprecated, remove the HandBook section, but only for 10.x



On 14 April 2013 18:48, Warren Block wbl...@wonkity.com wrote:

 On Sun, 14 Apr 2013, Chris Rees wrote:

  On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:

 2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:


  Maybe something else, but whatever it is, it should be done.  If you
 and Gleb don't want to do this, I will.


 I already started writing a guide. See here for a very incomplete
 version:

 http://people.freebsd.org/~**rpaulo/ipf-deprecation/**article.htmlhttp://people.freebsd.org/~rpaulo/ipf-deprecation/article.html


 If you're really serious about deprecating ipf, we absolutely have to
 remove instructions for it from the Handbook as soon as possible;
 every time a new user comes across instructions you're going to have
 yet another annoyed party.

 http://www.bayofrum.net/~**crees/patches/remove-ipf.diffhttp://www.bayofrum.net/~crees/patches/remove-ipf.diff


 This should probably be done like we did for CVS for ports.  Mark it as
 deprecated, then remove the Handbook section once the code is removed.

 Is it possible to move ipfilter into a port?

 __**_
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/**mailman/listinfo/freebsd-**currenthttp://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscribe@**
 freebsd.org freebsd-current-unsubscr...@freebsd.org




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Chris Rees]

On 14 April 2013 16:48, Warren Block wbl...@wonkity.com wrote:
 On Sun, 14 Apr 2013, Chris Rees wrote:

 On 14 April 2013 01:41, Rui Paulo rpa...@felyko.com wrote:

 2013/04/13 16:01?Scott Long scott4l...@yahoo.com ??:


 Maybe something else, but whatever it is, it should be done.  If you and
 Gleb don't want to do this, I will.


 I already started writing a guide. See here for a very incomplete
 version:

 http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html


 If you're really serious about deprecating ipf, we absolutely have to
 remove instructions for it from the Handbook as soon as possible;
 every time a new user comes across instructions you're going to have
 yet another annoyed party.

 http://www.bayofrum.net/~crees/patches/remove-ipf.diff


 This should probably be done like we did for CVS for ports.  Mark it as
 deprecated, then remove the Handbook section once the code is removed.

 Is it possible to move ipfilter into a port?

There isn't really a point in moving it to a port, because it still
needs the same level of commitment to make it work; many kernel/net
changes cause it to break, and Rui has already pointed out that no-one
knows if it even works at all on HEAD.

Moving kernel stuff like this to ports isn't really an option :/

Chris
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Gary Palmer]

On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
 Is it possible to move ipfilter into a port?

That may work short term, but the ENOMAINTAINER problem will quickly creep
up again as kernel APIs change.  If the author has lost interest in
maintaining the FreeBSD port of ipfilter then unless someone steps forward
to carry on the work, I don't see much of a future for ipfilter in
FreeBSD

Do we honestly need three packet filters?

Regards,

Gary
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[cpet]

Hi,

I will see what I can do when I come back from work. PF is based on
ipfilter so having 3 is indeed a bit much.

Chris

 On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
 Is it possible to move ipfilter into a port?

 That may work short term, but the ENOMAINTAINER problem will quickly creep
 up again as kernel APIs change.  If the author has lost interest in
 maintaining the FreeBSD port of ipfilter then unless someone steps forward
 to carry on the work, I don't see much of a future for ipfilter in
 FreeBSD

 Do we honestly need three packet filters?

 Regards,

 Gary
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org



___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re[2]: ipfilter(4) needs maintainer

[wishmaster]

 --- Original message ---
From: Gary Palmer gpal...@freebsd.org
Date: 14 April 2013, 19:06:59

 
 On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
  Is it possible to move ipfilter into a port?
 
 That may work short term, but the ENOMAINTAINER problem will quickly creep
 up again as kernel APIs change.  If the author has lost interest in
 maintaining the FreeBSD port of ipfilter then unless someone steps forward
 to carry on the work, I don't see much of a future for ipfilter in
 FreeBSD
 
 Do we honestly need three packet filters?
  
Yes! This is the most clever thought in this thread. Why we need 3 
firewalls? Two packet filters it's excess too.
 We have two packet filters: one with excellent syntax and functionality 
but with outdated bandwidth control mechanism (aka ALTQ); another - with nice 
traffic shaper/prioritization (dummynet)/classification (diffused) but with 
complicated implementation  in not trivial tasks.
May be the next step will be discussion about one packet filter in the 
system?..

Cheers,


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Dag-Erling Smørgrav]

Odhiambo Washington odhia...@gmail.com writes:
 2. PF is being felt to be part of FreeBSD, but it too lags far behind
 OpenBSD implementation - almost like it's unmaintained. There has been
 debates about this which were never concluded. Most of you will agree with
 me on this.

FreeBSD's version of pf is actively maintained by Gleb.  IIUC, the
reason why it lags behind OpenBSD is partly that OpenBSD keep making
changes to the filter syntax which break existing rulesets, and partly
that FreeBSD's and OpenBSD's network stacks and locking primitives are
so different that we can't easily plug OpenBSD's code into our kernel
without significant performance issues.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Joe Holden]

wishmaster wrote:


 --- Original message ---
From: Gary Palmer gpal...@freebsd.org
Date: 14 April 2013, 19:06:59

 

On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:

Is it possible to move ipfilter into a port?

That may work short term, but the ENOMAINTAINER problem will quickly creep
up again as kernel APIs change.  If the author has lost interest in
maintaining the FreeBSD port of ipfilter then unless someone steps forward
to carry on the work, I don't see much of a future for ipfilter in
FreeBSD

Do we honestly need three packet filters?
  
Yes! This is the most clever thought in this thread. Why we need 3 firewalls? Two packet filters it's excess too.

 We have two packet filters: one with excellent syntax and functionality 
but with outdated bandwidth control mechanism (aka ALTQ); another - with nice 
traffic shaper/prioritization (dummynet)/classification (diffused) but with 
complicated implementation  in not trivial tasks.
May be the next step will be discussion about one packet filter in the 
system?..

Cheers,
For non-nat ipfw is still superior in every way, numbered rules (think: 
scripts), dummynet, much faster than pf, syntax is a lot nicer and 
predictable...


Does anyone even use ipf? it doesn't even work on Linux anymore, junk it 
and keep pf+ipfw, job done.


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Anton Shterenlikht]

A migration *guide*, yes. Tools to convert one syntax to another: no.

ok, so what is the brief migraiton advice?
The Handbook mentions PF and IPFW.
I gather from your mails that PF is the recommended choice.
Is that so?

If I choose PF, can I just follow the
Handbook PF section, and once it's working,
remove all IPF related kernel options and config
files?

Thanks

Anton

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Re[2]: ipfilter(4) needs maintainer

[Sam Fourman Jr.]

I agree with this, we dont need 3 packet filters, it seems like we should
focus the people interested in working on packet filters,toward the packet
filter most actively maintained, the fact that there is 3 in base is
overkill, Just depreciate it and be done with it
a new email, asking for help to bring pf closer to OpenBSD, is more of a
productive conversation.


On Sun, Apr 14, 2013 at 1:30 PM, wishmaster artem...@ukr.net wrote:



  --- Original message ---
 From: Gary Palmer gpal...@freebsd.org
 Date: 14 April 2013, 19:06:59


  On Sun, Apr 14, 2013 at 09:48:33AM -0600, Warren Block wrote:
   Is it possible to move ipfilter into a port?
 
  That may work short term, but the ENOMAINTAINER problem will quickly
 creep
  up again as kernel APIs change.  If the author has lost interest in
  maintaining the FreeBSD port of ipfilter then unless someone steps
 forward
  to carry on the work, I don't see much of a future for ipfilter in
  FreeBSD
 
  Do we honestly need three packet filters?

 Yes! This is the most clever thought in this thread. Why we need 3
 firewalls? Two packet filters it's excess too.
  We have two packet filters: one with excellent syntax and
 functionality but with outdated bandwidth control mechanism (aka ALTQ);
 another - with nice traffic shaper/prioritization (dummynet)/classification
 (diffused) but with complicated implementation  in not trivial tasks.
 May be the next step will be discussion about one packet filter in the
 system?..

 Cheers,


 ___
 freebsd-...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org




-- 

Sam Fourman Jr.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

On 2013/04/14, at 12:11, Anton Shterenlikht me...@bris.ac.uk wrote:

   A migration *guide*, yes. Tools to convert one syntax to another: no.
 
 ok, so what is the brief migraiton advice?

It's still being written.

 The Handbook mentions PF and IPFW.
 I gather from your mails that PF is the recommended choice.
 Is that so?

Yes, because of how much easier it is to convert from ipf to pf version ipf to 
ipfw.

 If I choose PF, can I just follow the
 Handbook PF section, and once it's working,
 remove all IPF related kernel options and config
 files?


Yes, that will be the plan.

Regards,
--
Rui Paulo

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Mark Martinec]

On Sunday April 14 2013 19:30:22 wishmaster wrote:
  Do we honestly need three packet filters?
 Yes! This is the most clever thought in this thread. Why we need 3
 firewalls? Two packet filters it's excess too. We have two packet filters:
 one with excellent syntax and functionality but with outdated bandwidth
 control mechanism (aka ALTQ); another - with nice traffic
 shaper/prioritization (dummynet)/classification (diffused) but with
 complicated implementation  in not trivial tasks. May be the next step
 will be discussion about one packet filter in the system?..

... and as far as I can tell none of them is currently usable
on an IPv6-only FreeBSD (like protecting a host with sshguard),
none of them supports stateful NAT64, nor IPv6 prefix translation :(

  Mark
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Jim Thompson]

On Apr 14, 2013, at 5:25 PM, Mark Martinec mark.martinec+free...@ijs.si wrote:

 ... and as far as I can tell none of them is currently usable
 on an IPv6-only FreeBSD (like protecting a host with sshguard),
 none of them supports stateful NAT64, nor IPv6 prefix translation :(

pfSense 2.1 has a lot of work to make this happen for pf, so it should be 
possible for pf with some attention.

Jim

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[John Hixson]

On Fri, Apr 12, 2013 at 11:31:09PM -0600, Scott Long wrote:
 
 On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:
 
  On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
  
  Lack of maintainer in a near future would lead to bitrot due to changes
  in other areas of network stack, kernel APIs, etc. This already happens,
  many changes during 10.0-CURRENT cycle were only compile tested wrt
  ipfilter. If we fail to find maintainer, then a correct decision would be
  to remove ipfilter(4) from the base system before 10.0-RELEASE.
  
  This has been discussed in the past. Every time someone came up and said 
  I'm still using ipfilter! and the idea to remove it dies with it. 
  I've been saying we should remove it for 4 years now. Not only it's 
  outdated but it also doesn't not fit well in the FreeBSD roadmap. Then 
  there's the question of maintainability. We gave the author a commit bit so 
  that he could maintain it. That doesn't happen anymore and it sounds like 
  he has since moved away from FreeBSD. I cannot find any reason to burden 
  another FreeBSD developer with maintaining ipfilter.
  
 
 One thing that FreeBSD is bad about (and this really applies to many open 
 source projects) when deprecating something is that the developer and release 
 engineering groups rarely provide adequate, if any, tools to help users 
 transition and cope with the deprecation.  The fear of deprecation can be 
 largely overcome by giving these users a clear and comprehensive path 
 forward.  Just announcing ipfilter is going away.  EOM is inadequate and 
 leads to completely justified complaints from users.
 
 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document on 
 what goes away with ipfilter and what is gained with pf.  Once those tools 
 are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning mindshare 
 and general support.
 

++
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:

 On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:
 
 On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
 
 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.
 
 This has been discussed in the past. Every time someone came up and said 
 I'm still using ipfilter! and the idea to remove it dies with it. 
 I've been saying we should remove it for 4 years now. Not only it's outdated 
 but it also doesn't not fit well in the FreeBSD roadmap. Then there's the 
 question of maintainability. We gave the author a commit bit so that he 
 could maintain it. That doesn't happen anymore and it sounds like he has 
 since moved away from FreeBSD. I cannot find any reason to burden another 
 FreeBSD developer with maintaining ipfilter.
 
 
 One thing that FreeBSD is bad about (and this really applies to many open 
 source projects) when deprecating something is that the developer and release 
 engineering groups rarely provide adequate, if any, tools to help users 
 transition and cope with the deprecation.  The fear of deprecation can be 
 largely overcome by giving these users a clear and comprehensive path 
 forward.  Just announcing ipfilter is going away.  EOM is inadequate and 
 leads to completely justified complaints from users.

I agree with the deprecation path, but given the amount of changes that 
happened in the last 6 months, I'm not even sure ipfilter is working fine in 
FreeBSD CURRENT, but I haven't tested it.

 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document on 
 what goes away with ipfilter and what is gained with pf.  Once those tools 
 are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning mindshare 
 and general support.


It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but I'm 
not sure automated tools exist. I'm also not convinced we need to write them 
and I think the issue can be deal with by writing a bunch of examples on how to 
do it manually. Then we can give people 1y to switch.

Regards,
--
Rui Paulo

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 13, 2013, at 12:33 AM, Rui Paulo rpa...@freebsd.org wrote:

 On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:
 
 On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:
 
 On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
 
 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.
 
 This has been discussed in the past. Every time someone came up and said 
 I'm still using ipfilter! and the idea to remove it dies with it. 
 I've been saying we should remove it for 4 years now. Not only it's 
 outdated but it also doesn't not fit well in the FreeBSD roadmap. Then 
 there's the question of maintainability. We gave the author a commit bit so 
 that he could maintain it. That doesn't happen anymore and it sounds like 
 he has since moved away from FreeBSD. I cannot find any reason to burden 
 another FreeBSD developer with maintaining ipfilter.
 
 
 One thing that FreeBSD is bad about (and this really applies to many open 
 source projects) when deprecating something is that the developer and 
 release engineering groups rarely provide adequate, if any, tools to help 
 users transition and cope with the deprecation.  The fear of deprecation can 
 be largely overcome by giving these users a clear and comprehensive path 
 forward.  Just announcing ipfilter is going away.  EOM is inadequate and 
 leads to completely justified complaints from users.
 
 I agree with the deprecation path, but given the amount of changes that 
 happened in the last 6 months, I'm not even sure ipfilter is working fine in 
 FreeBSD CURRENT, but I haven't tested it.
 

You target audience for this isn't people who track CURRENT, it's people who 
are on 7, 8, or 9 and looking to update to 10.x sometime in the future.

 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document 
 on what goes away with ipfilter and what is gained with pf.  Once those 
 tools are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning 
 mindshare and general support.
 
 
 It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but 
 I'm not sure automated tools exist. I'm also not convinced we need to write 
 them and I think the issue can be deal with by writing a bunch of examples on 
 how to do it manually. Then we can give people 1y to switch.
 

Please believe me that no matter how trivial you think the switch is, a 
migration guide still needs to be written.

Scott
\
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Kimmo Paasiala]

On Sat, Apr 13, 2013 at 3:03 PM, Scott Long sco...@samsco.org wrote:

 On Apr 13, 2013, at 12:33 AM, Rui Paulo rpa...@freebsd.org wrote:

 On 2013/04/12, at 22:31, Scott Long sco...@samsco.org wrote:

 On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:

 On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:

 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.

 This has been discussed in the past. Every time someone came up and said 
 I'm still using ipfilter! and the idea to remove it dies with it.
 I've been saying we should remove it for 4 years now. Not only it's 
 outdated but it also doesn't not fit well in the FreeBSD roadmap. Then 
 there's the question of maintainability. We gave the author a commit bit 
 so that he could maintain it. That doesn't happen anymore and it sounds 
 like he has since moved away from FreeBSD. I cannot find any reason to 
 burden another FreeBSD developer with maintaining ipfilter.


 One thing that FreeBSD is bad about (and this really applies to many open 
 source projects) when deprecating something is that the developer and 
 release engineering groups rarely provide adequate, if any, tools to help 
 users transition and cope with the deprecation.  The fear of deprecation 
 can be largely overcome by giving these users a clear and comprehensive 
 path forward.  Just announcing ipfilter is going away.  EOM is inadequate 
 and leads to completely justified complaints from users.

 I agree with the deprecation path, but given the amount of changes that 
 happened in the last 6 months, I'm not even sure ipfilter is working fine in 
 FreeBSD CURRENT, but I haven't tested it.


 You target audience for this isn't people who track CURRENT, it's people who 
 are on 7, 8, or 9 and looking to update to 10.x sometime in the future.

 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document 
 on what goes away with ipfilter and what is gained with pf.  Once those 
 tools are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning 
 mindshare and general support.


 It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but 
 I'm not sure automated tools exist. I'm also not convinced we need to write 
 them and I think the issue can be deal with by writing a bunch of examples 
 on how to do it manually. Then we can give people 1y to switch.


 Please believe me that no matter how trivial you think the switch is, a 
 migration guide still needs to be written.

 Scott
 \

The migration guide is best written by the current users of ipfilter,
not those who have no interest in doing so because their interests are
completely elsewhere.

Please don't try to defer to an authority that does not exist here.

-Kimmo
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Gleb Smirnoff]

  Scott,

On Fri, Apr 12, 2013 at 11:31:09PM -0600, Scott Long wrote:
S One thing that FreeBSD is bad about (and this really applies to many open 
source projects) when deprecating something is that the developer and release 
engineering groups rarely provide adequate, if any, tools to help users 
transition and cope with the deprecation.  The fear of deprecation can be 
largely overcome by giving these users a clear and comprehensive path forward.  
Just announcing ipfilter is going away.  EOM is inadequate and leads to 
completely justified complaints from users.
S 
S So with that said, would it be possible to write some tutorials on how to 
migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
accompanied by a few case studies?  Is it possible for a script to automate 
some of the common mechanical changes?  Also essential is a clear document on 
what goes away with ipfilter and what is gained with pf.  Once those tools are 
written, I suggest announcing that ipfilter is available but 
deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
Certain people will still pitch a fit about it departing, but if the tools are 
there to help the common users, you'll be successful in winning mindshare and 
general support.

The task to write a migration guide is already a task for maintainer, and
the thread is to search one.

If lack of migration guide doesn't allow us to remove in 10.x cycle, I doubt
the guide will appear in 11.x cycle, 12.x, etc. So we will live with ipfilter
forever.

What I can do, is to resend email to the stable@ list.

Also, I can add the deprecation WARNING to stable/9 unless we find maintainer
prior to 9.2 branching.

-- 
Totus tuus, Glebius.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

On 2013/04/13, at 5:03, Scott Long sco...@samsco.org wrote:
 You target audience for this isn't people who track CURRENT, it's people who 
 are on 7, 8, or 9 and looking to update to 10.x sometime in the future.

Yes, I'm aware of that, but the problem remains. If ipfilter is broken or gets 
broken because of the networking stack changes, we'll have to fix it to keep 
the deprecation path going...

 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to automate 
 some of the common mechanical changes?  Also essential is a clear document 
 on what goes away with ipfilter and what is gained with pf.  Once those 
 tools are written, I suggest announcing that ipfilter is available but 
 deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
 Certain people will still pitch a fit about it departing, but if the tools 
 are there to help the common users, you'll be successful in winning 
 mindshare and general support.
 
 
 It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but 
 I'm not sure automated tools exist. I'm also not convinced we need to write 
 them and I think the issue can be deal with by writing a bunch of examples 
 on how to do it manually. Then we can give people 1y to switch.
 
 
 Please believe me that no matter how trivial you think the switch is, a 
 migration guide still needs to be written.


A migration *guide*, yes. Tools to convert one syntax to another: no.

Regards,
--
Rui Paulo

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 13, 2013, at 11:43 AM, Rui Paulo rpa...@freebsd.org wrote:

 On 2013/04/13, at 5:03, Scott Long sco...@samsco.org wrote:
 You target audience for this isn't people who track CURRENT, it's people who 
 are on 7, 8, or 9 and looking to update to 10.x sometime in the future.
 
 Yes, I'm aware of that, but the problem remains. If ipfilter is broken or 
 gets broken because of the networking stack changes, we'll have to fix it to 
 keep the deprecation path going...
 

Welcome to the challenges of maintaining a whole OS :-)

 So with that said, would it be possible to write some tutorials on how to 
 migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
 accompanied by a few case studies?  Is it possible for a script to 
 automate some of the common mechanical changes?  Also essential is a clear 
 document on what goes away with ipfilter and what is gained with pf.  Once 
 those tools are written, I suggest announcing that ipfilter is available 
 but deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 
 11.  Certain people will still pitch a fit about it departing, but if the 
 tools are there to help the common users, you'll be successful in winning 
 mindshare and general support.
 
 
 It's not very difficult to switch an ipf.conf/ipnat.conf to a pf.conf, but 
 I'm not sure automated tools exist. I'm also not convinced we need to write 
 them and I think the issue can be deal with by writing a bunch of examples 
 on how to do it manually. Then we can give people 1y to switch.
 
 Please believe me that no matter how trivial you think the switch is, a 
 migration guide still needs to be written.
 
 
 A migration *guide*, yes. Tools to convert one syntax to another: no.
 

Ok, so in response to this and to Glebs email, lets rephrase the call for help 
into a call for someone with ipfilter experience to help write a migration 
guide.  Like I said, this isn't about migrating from 10-current to 10-current 
prime, it about migrating from 7/8/9 where up ipfilter does work.  Maybe look 
for old openbsd docs and mailing list items from when they did their forced 
migration.  Maybe fish for help by announcing the deprecation and removal 
schedule and hook whomever complains into helping instead.  Maybe something 
else, but whatever it is, it should be done.  If you and Gleb don't want to do 
this, I will.

Scott

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

2013/04/13 16:01、Scott Long scott4l...@yahoo.com のメッセージ:

 Maybe something else, but whatever it is, it should be done.  If you and Gleb 
 don't want to do this, I will.

I already started writing a guide. See here for a very incomplete version:

http://people.freebsd.org/~rpaulo/ipf-deprecation/article.html
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Rui Paulo]

On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:

 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.

This has been discussed in the past. Every time someone came up and said I'm 
still using ipfilter! and the idea to remove it dies with it. 
I've been saying we should remove it for 4 years now. Not only it's outdated 
but it also doesn't not fit well in the FreeBSD roadmap. Then there's the 
question of maintainability. We gave the author a commit bit so that he could 
maintain it. That doesn't happen anymore and it sounds like he has since moved 
away from FreeBSD. I cannot find any reason to burden another FreeBSD developer 
with maintaining ipfilter.

--
Rui Paulo

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: ipfilter(4) needs maintainer

[Scott Long]

On Apr 12, 2013, at 7:43 PM, Rui Paulo rpa...@freebsd.org wrote:

 On 2013/04/11, at 13:18, Gleb Smirnoff gleb...@freebsd.org wrote:
 
 Lack of maintainer in a near future would lead to bitrot due to changes
 in other areas of network stack, kernel APIs, etc. This already happens,
 many changes during 10.0-CURRENT cycle were only compile tested wrt
 ipfilter. If we fail to find maintainer, then a correct decision would be
 to remove ipfilter(4) from the base system before 10.0-RELEASE.
 
 This has been discussed in the past. Every time someone came up and said I'm 
 still using ipfilter! and the idea to remove it dies with it. 
 I've been saying we should remove it for 4 years now. Not only it's outdated 
 but it also doesn't not fit well in the FreeBSD roadmap. Then there's the 
 question of maintainability. We gave the author a commit bit so that he could 
 maintain it. That doesn't happen anymore and it sounds like he has since 
 moved away from FreeBSD. I cannot find any reason to burden another FreeBSD 
 developer with maintaining ipfilter.
 

One thing that FreeBSD is bad about (and this really applies to many open 
source projects) when deprecating something is that the developer and release 
engineering groups rarely provide adequate, if any, tools to help users 
transition and cope with the deprecation.  The fear of deprecation can be 
largely overcome by giving these users a clear and comprehensive path forward.  
Just announcing ipfilter is going away.  EOM is inadequate and leads to 
completely justified complaints from users.

So with that said, would it be possible to write some tutorials on how to 
migrate an ipfilter installation to pf?  Maybe some mechanical syntax docs 
accompanied by a few case studies?  Is it possible for a script to automate 
some of the common mechanical changes?  Also essential is a clear document on 
what goes away with ipfilter and what is gained with pf.  Once those tools are 
written, I suggest announcing that ipfilter is available but 
deprecated/unsupported in FreeBSD 10, and will be removed from FreeBSD 11.  
Certain people will still pitch a fit about it departing, but if the tools are 
there to help the common users, you'll be successful in winning mindshare and 
general support.

Scott

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

ipfilter(4) needs maintainer

[Gleb Smirnoff]

  Hello,

  here is brief status on ipfilter(4) packet filtering facility,
written by Darren Reed, that is shipped with FreeBSD kernel.

o The version of the software is v4.1.28. The license is BSD, .. erm
  the license is very close to BSD, but with some additions, most
  notable is: 

 The licence and distribution terms for any publically available version or
 derivative of this code cannot be changed. i.e. this code cannot simply be
 copied, in part or in whole, and put under another distribution licence
 [including the GNU Public Licence.]

  The version we have is v4.1.28, it was released 16 October 2007.

  Suprisingly, the author has switched ipfilter license to GPL. :) The
  last release under BSD license was v4.1.34, released 11 MArch 2010.

  The author is now working on v5, licensed under GPL.

o There are 29 open bug reports tagged with [ipfilter] in GNATS. Actually
  this is not a lot, since there 95 closed PRs with this tag. Anyway,
  these 29 need care.

o Apart from filed PRs, there is knowledge that ipfilter(4) isn't
  compatible with VIMAGE.

o ipfilter(4) uses old outdated kernel APIs that we want to cleanse
  away from the kernel. And we don't have responsive users, willing
  to test patches. For example, this request for testing wasn't
  answered by anyone:

http://lists.freebsd.org/pipermail/freebsd-net/2012-August/033139.html


Due to license change and inactivity of the author in our tree and
GNATS, there is clear evidence that author do not plan to update or
take care of ipfilter in our source tree. Thus, ipfilter(4) should be
assigned status of our code, that should be taken care of ourselves.

This means it needs maintainer, and this email is a call for one.
Any takers?

Lack of maintainer in a near future would lead to bitrot due to changes
in other areas of network stack, kernel APIs, etc. This already happens,
many changes during 10.0-CURRENT cycle were only compile tested wrt
ipfilter. If we fail to find maintainer, then a correct decision would be
to remove ipfilter(4) from the base system before 10.0-RELEASE.

P.S. The project homepage: http://coombs.anu.edu.au/~avalon/

-- 
Totus tuus, Glebius.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org