ipfw deprecation

Andreas Hauser andy at splashground.de
Wed Jun 28 22:11:14 PDT 2006


corecode wrote @ Thu, 29 Jun 2006 00:56:35 +0200:
On 29.06.2006, at 00:51, Andreas Hauser wrote:

> >> I would like to deprecate ipfw (and dummynet, because it needs ipfw)
> >> for the next release and remove it in 1.7.
> > Can you please show that pf is as fast as ipfw?
> 
> No, can't.  As I understand the current answers, we will remove ipfw 
> from the main code path and get a pfil'ed version instead.  So this 
> won't affect the speed after all.  Besides, if somebody cares about his 
> filtering speed, he should do measurements.  I don't have the network, 
> the equipment, nor the filter set to measure speed.

Well, last time i measured it was a lot slower. I would think that
a good procedure was that if someone wants to remove healthy code
that he has to proof that it is valid to do so.

Please test at least the cases that /etc/rc.firewall allows for
and provide a script like it for replacement.
If you can't even test that, you shouldn't be allowed to remove that code.

Andy





More information about the Kernel mailing list