Subject: Re: upgrading ipfilter (was: patch for limiting MSS)
To: NetBSD Networking Technical Discussion List <tech-net@NetBSD.ORG>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 12/05/2001 18:06:25
[ On Wednesday, December 5, 2001 at 16:14:28 (-0500), Rick Byers wrote: ]
> Subject: Re: upgrading ipfilter (was: patch for limiting MSS)
> Anyway, if a majority of people are of the oppinion that its better NOT to
> update ipfilter, then I'll just get in the habit of installing the latest
> versions manually myself.
I for one really do want ipfilter upgraded in NetBSD just as soon as
possible after any ipfilter release, unless suddenly Darren declares the
latest ipfilter release unsuitable for any reason.
I have no problems rebuilding and re-installing all the user-land
ipfilter tools at the same time as I update my kernel. I expect to have
to do such things when I track -current. It would be nice to have a
quick&dirty way of backing out the user-land tools if I have to
downgrade my kernel too, but that's not too hard to manage manually
(eg. arrange to have '-b' passed to install when installing the new
userland tools, such as by setting 'PRESERVE="-b -p"').
> Couldn't ipf be loaded from an lkm so that the lkm and userland could be
> easily kept in sync?
It could, if you are not worried about LKM's in general (and presumably
if you're running ipfilter on even a -current kernel then you are either
doing development on it, in which case an LKM is OK, or you're using it
to protect your system in which case use of a LKM is perhaps not
advisable), but that doesn't really solve the problem. You have to
update the ipfilter user tools and ipfilter kernel code in sync,
regardless of how the latter is loaded/linked into the kernel you run.
Greg A. Woods
+1 416 218-0098; <email@example.com>; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>