Subject: Re: Try again, itojun, patches need more work.
To: ww@styx.org, Jason Thorpe <thorpej@wasabisystems.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 06/30/2003 22:00:02
On Mon, Jun 30, 2003 at 03:38:58PM -0400, ww@STYX.ORG wrote:
> On Mon, Jun 30, 2003 at 09:26:17PM +0200, Manuel Bouyer wrote:
> > 
> > We never talked about deprecating IPF. PF isn't a superset of IPF. I don't
> > see keep frags here, for example.
> >
> 
> Oh. I was under the impression that it was at least from
> the perspective of the config file. (perhaps it was at one
> time?) 

It looks like it has diverged (which isn't a surprise)

> 
> But it still looks like we are discussing three packet
> classification engines from IPF, PF, and IPSec. Keeping

Four, you forgot ATLQ, which has its own too.

> all of them seems a bit redundant to me, especially since
> the first two are so similar.

It's redundant but as long as both are maintained it's not a problem.

Anyway, you missed a point of the discussion. PF (and ipf too)'s
classification engine is more powerfull than the altq and ipsec ones,
so get ride of thoses and use PF instead. But while we're at it,
it doesn't cost much more to define an API which allows any classification
module to work with altq/ipsec. This would allow to build classifiers 
with a completely different behavior from PF/IPF's one (which are
basically designed for IP filtering/NAT, nothing else). 
For example you may want to sort the packets based on the states of a proxy.

> 
> While we're at it, why don't we integrate ipfw from
> FreeBSD?

If someone wants to work at this, why not ?

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--