ipfw deprecation

Dmitri Nikulin dnikulin at gmail.com
Wed Jun 28 17:09:15 PDT 2006


On 29 Jun 2006 00:51:26 +0200, Andreas Hauser <andy at xxxxxxxxxxxxxxx> wrote:
corecode wrote @ Sun, 25 Jun 2006 13:12:41 +0200:

> I would like to deprecate ipfw (and dummynet, because it needs ipfw)
> for the next release and remove it in 1.7.
Can you please show that pf is as fast as ipfw?
For NAT, it should be a lot faster. pf doesn't have the 'divert' hack
ipfw does, its NAT stays in the kernel. FTP proxying doesn't, and
good, kernel space transparent proxying is a crime.
Even if pf is measurably slower than ipfw for the same rules, it's
very unlikely to matter compared to all of the other processing to do
with networking, and even if it does matter, seems like ipfw will stay
anyway.
In terms of "horses for courses", until DragonFly as a whole is
optimal enough to make the choice of packet filter a significant
performance consideration, people seeking near-optimal filtered
routing are probably a lot better off using FreeBSD 6 or possibly even
Linux.
 -- Dmitri Nikulin





More information about the Kernel mailing list