tech-kern: Re: ipfilter loading.

Subject: Re: ipfilter loading.
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-kern
Date: 04/28/1997 19:23:02
On  Mon, 28 Apr 1997 18:41:41 -0700, Jason Thorpe <thorpej@nas.nasa.gov>
writes:

>If you revert it to the old behavior, I will be at LEAST mildly annoyed.

Well, then, we'll be even;).  Your ``fix'' added a bug to my firewall.


>With the previous behavior, every packet was passed through the
>filter rule checker even if no rules had been loaded, and the user
>had no intention of loading them.  That's a _bug_.

Jason, I don't agree. If the user configured ipfilter into their
kernel, then passing every packet through the rule-filter engine is
exactly what the user _asked_ for.  Not passing all packets through
the rulefilter is a _bug_.  I think that's what Darren is saying, too.  

I thought Darren was saying that loading an ipfilter LKM should _also_
pass all packets through the rule-filter, unless otherwise specified.
Darren, could you clarify that?

(And, for the record, I'm agnostic about LKMs on this point.) 



> Also, the calling
>convention of the initialization routine was wrong.  That's a _bug_.

Sure.  No argument there.

>If you want the behavior you describe, _please_ implement it as
>a kernel compile option, like:
>
>options         IPF_EARLY_ENABLE        # ipf enabled early, no "ipf -E" req'd.

If anything, the default should be the other way around, for
compatibility with the standard ip_filter distribution, and with
ip_filter on other platforms.  ip_filter has always worked this
way. In fact, that's one of the reasons I recommended we choose it.

Jason, could you explain *why* you want that behaviour?  
And *why* you think the previous default behaviour was a bug?
I don't recall ever seeing such a thing.

It's very likely we're alltalking past each other. Perhaps we have
different ideas of what ipfilter is for, and what is sensible default
behaviour.  Making blanket statements like "Do X" (or "don't do X")
doesn't help resolve that at all.

I've tried to explain why I think the current, `fixed' default
behaviour is a bug.  I haven't seen any substantive response to those
messages.  (sorry, but I don't think saying "run ipf -E" is a
substantive response).

Jason, could you please do the same, so that Darren has some more
information to proceed with?