moving pfil consumers to sys/netpfil
Luigi Rizzo
rizzo at iet.unipi.it
Wed Sep 12 20:57:54 UTC 2012
On Wed, Sep 12, 2012 at 04:34:57PM +0400, Gleb Smirnoff wrote:
> Hi,
>
> we (me and Bjoern) would like to establish a single place
> for all kinds of pfil(9) consumers, for current ones and
> for future as well.
>
> The place chosen is sys/netpfil.
>
> On first round we'd like to move there our Tier-1 firewalls:
> ipfw and pf. This also includes moving pf out of contrib.
>
> The plan of movement is the following:
>
> sys/contrib/pf/net/*.c -> sys/netpfil/pf/
> sys/contrib/pf/net/*.h -> sys/net/ [1]
> contrib/pf/pfctl/*.c -> sbin/pfctl
> contrib/pf/pfctl/*.h -> sbin/pfctl
> contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
> contrib/pf/pfctl/*.4 -> share/man/man4
> contrib/pf/pfctl/*.5 -> share/man/man5
>
> sys/netinet/ipfw -> sys/netpfil/ipfw
I have two concerns against moving ipfw/
- what do we gain by moving ipfw/ further
away from its user header files (whose location in netinet/
is pretty much part of the API so difficult to change) ?
- pfil is just one of the APIs that the ipfw code
uses to send/receive packets (pfil, netmap for FreeBSD,
and then netfilter and ndispacket for the other OS).
The pfil dependencies amount to probably 1% of the code.
So if we really want to relocate ipfw/ i'd rather move to
a more generic place (but as far as i know we do not have
one for subsystems -- dev/ is used for drivers, other stuff
has generally accumulated under sys/ ,see geom, ofed, netgraph).
> That's all.
>
> [1] This line is arguable, however the future plan is to:
> - split pfvar.h into pf.h and pf_var.h
> - kill if_pfsync.h and if_pflog.h as soon as they stop being ifnets
this i am curious about - are you planning to remove bpf support
for pflog, or just implement it in a different way ?
cheers
luigi
More information about the freebsd-net
mailing list