ipfw deprecation

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Thu Jun 29 02:25:20 PDT 2006

On 29.06.2006, at 07:03, Andreas Hauser wrote:
I would like to deprecate ipfw (and dummynet, because it needs ipfw)
for the next release and remove it in 1.7.
Can you please show that pf is as fast as ipfw?
No, can't.  As I understand the current answers, we will remove ipfw
from the main code path and get a pfil'ed version instead.  So this
won't affect the speed after all.  Besides, if somebody cares about 
filtering speed, he should do measurements.  I don't have the network,
the equipment, nor the filter set to measure speed.
Well, last time i measured it was a lot slower. I would think that
a good procedure was that if someone wants to remove healthy code
that he has to proof that it is valid to do so.
Yes, the proof is the cleanliness of code:  ipfw is in the main code 
path and needs to be removed from there.  That's the only proof I need. 
 Using your reasoning, we would not be allowed to remove crude hacks in 
favour of nice code, because the crude hacks are faster (quite possible 
in many cases).  But as DragonFly is not the fastest OS ever, and 
neither aims to be as fast as it can get, by sacrificing transparency 
and nice code for speed, we won't have to do benchmarks for every 
change which makes the existing code more maintainable.

Please test at least the cases that /etc/rc.firewall allows for
and provide a script like it for replacement.
A replacement ruleset is a good idea, though I am not sure how to 
handle different types of filtering in one pf ruleset.  But maybe 
somebody is interested in providing one?

Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00015.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/kernel/attachments/20060629/a112a8fa/attachment-0020.obj>

More information about the Kernel mailing list