Subject: Re: upgrading ipfilter (was: patch for limiting MSS)
To: NetBSD Networking Technical Discussion List <tech-net@NetBSD.ORG>
From: David Laight <>
List: tech-net
Date: 12/05/2001 23:24:49
> > Couldn't ipf be loaded from an lkm so that the lkm and userland could be
> > easily kept in sync?

Seems to me a lot of the hardware device drivers could be loadable,
and much of the network stack.  Makes developing / testing new drivers
easier - and enforces binary compatibility on you, not a bad thing.
Obviously a network boot (probably) needs the network stack, and the
root disk driver code might be handy! but you don't need all those
drivers for obscure hardware present.  There ought to be some way
of loading 'likely' drivers for PCI cards based on info from the config
space registers...
> It could, if you are not worried about LKM's in general (and presumably
> if you're running ipfilter on even a -current kernel then you are either
> doing development on it, in which case an LKM is OK, or you're using it
> to protect your system in which case use of a LKM is perhaps not
> advisable),

The loadable driver is no more likely to be compromised than the file
containing the filter rules....

> but that doesn't really solve the problem.  You have to
> update the ipfilter user tools and ipfilter kernel code in sync,
> regardless of how the latter is loaded/linked into the kernel you run.

Not if the interface to the updated filter code is binary compatible
with the old version.  Maybe the 'new' userspace programs know how to
load the 'new' or 'old' drivers, possibly with different rules....


(greg - check the ipfstat man page, one of them uses kmem...)