Subject: Re: PF for netbsd
To: None <itojun@iijlab.net>
From: Darren Reed <avalon@caligula.anu.edu.au>
List: tech-net
Date: 06/28/2003 18:08:24
In some mail from itojun@iijlab.net, sie said:
>
> >> > > Right. itojun imported pf into KAME today and started working on
> >> > > the setkey part. I haven't had time to catch up.
> >> > I get the impression that itojun's email was both premature and not
> >> > very well worded then, if you want to achieve the goals you're after.
>
> which portion seems premature?
>
> i'm working on multiple platforms in parallel, including:
> kame/freebsd4, kame/netbsd161, kame/openbsd33, openbsd-current,
> netbsd-current (call me crazy, if you want to). progress of work
> differs by each of the platform.
I won't call you crazy...just yet...
> kame/netbsd161 now enjoys IPsec-and-PF integration, as forwarded,
> and i would like to integrate it into netbsd-current.
This last step seems premature. Given that there has been lengthy delays
in the past with the integration of KAME work into NetBSD, I see no need
to start rushing now, especially when there are issues that need to be
resolved first. I've seen no support, for this integration work besides
Jason saying that one less packet classifier in the kernel would be good.
If people want to use KAME/ALTQ/pf on NetBSD then they can download the
latest snapkit from www.kame.net, just like they would download any snap
kit to use the latest KAME code with NetBSD if they didn't want to wait
for it to be integrated into NetBSD. I think this work should spend more
time in the KAME tree before it goes into NetBSD, hopefully meaning that
NetBSD gets a more mature import, as a result, rather than getting what
appears to be a relatively unfinished/ill-prepared one. Especially if
you and Kenjiro haven't had real any conversation about where this is
all going. I doubt if I'm not the only one for whom this rings alarm
bells in their head.
The only rational reason I could see for you wanting to push this all
into NetBSD so quickly is if it was for some other reason that you have
not mentioned, here, yet because the code in KAME is clearly not ready
to be imported into NetBSD for any kind of use that doesn't involve pf.
Whilst some might be happy with that, some are not and I'd prefer we
reached a position where everyone was happy, before proceeding, and with
time I believe that position can be achieved.
To summarise, in the short term I can see lots of reasons to wait before
bringing this into NetBSD but in the longer term, the KAME code should
improve and the end result would be a welcome change, I feel. If it means
that NetBSD lags a little in the meantime whilst KAME changes, I think
that this will be acceptable given the history of KAME/ALTQ and NetBSD.
Cheers,
Darren