cvs commit: src/contrib/pf/man pf.4

Max Laier max at love2party.net
Tue Oct 5 16:01:29 PDT 2004 

On Tuesday 05 October 2004 23:27, Brian Fundakowski Feldman wrote:
> On Tue, Oct 05, 2004 at 08:44:24PM +0000, Max Laier wrote:
> > mlaier      2004-10-05 20:44:24 UTC
> >
> >   FreeBSD src repository
> >
> >   Modified files:        (Branch: RELENG_5)
> >     contrib/pf/man       pf.4
> >   Log:
> >   MFC:
> >     PFIL_HOOKS in no longer an optional item.
> >
> >     Submitted by:   Anders Hanssen
>
> I have a bunch of questions regarding pf documentation...
>
> Do you think we should update pf(4)/pfctl(8) documentation to
> cross-reference IPFW at all?

I fail to see that point, but I don't care much either way. Maybe I should add 
pf to the firewall(7) "ADDITIONAL READING"?

> Is it worth explaining in pfctl(8) what the default RED parameters for
> ALTQ are and how they relate to qlimit?

Sure. pf.conf(5), right? That's the place you were thinking of - not pfctl(8)?

> Isn't there an altq.4 somewhere?

No. Feel free to write it. I agree that ALTQ documentation is suboptimal at 
the moment. I had plans to evolve the configuration process, but didn't yet 
find time to ... in the longrun it should no longer require dev/pf and all 
that ...

> Shouldn't pfctl(8) document what occurs when there is no memory to add
> an ALTQ tag?

pf.conf(5)? Well, if you don't have memory for a tag you are in trouble 
anyway. But what happens? The packet ends up in the default queue (I hope).

> P.S. Think we should MFC dc(4) ALTQ support?

You know if it works or not, can't comment on that. If it does work, go for 
it. Make sure to update altq(8) as well (or the TBD altq(4))

> P.P.S. Should we look again into changing the pfil locking to not
> fail-open?

Feel free to make if fail-close. You must not sleep there, so it's either open 
or close. In contrast to what I told you earlier - you can return EAGAIN or 
ENOBUF so that applications don't get confused.

Other than that, I am still waiting for you to commit sxfast so that I can 
redo the pfil locking with it. I am wondering, however, if you didn't try to 
sleep there as well (which is not possible here).

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20041006/5cf40d9b/attachment.bin

More information about the cvs-src mailing list