Re: GENERIC and firewall modules

["Erik P. Skaalerud" <erik@xxxxxxxxxxxx>]

> > As with the current GENERIC, PFIL_HOOKS are not enabled by default.
> >
> > Any reasons for this? I dont know abotu the ipfw module, but the 
> > ipfilter module (ipl) can not load without PFIL in kernel.
> >
> > Perhaps it could be made default in GENERIC?
>
>     Last time I checked, PFIL_HOOKS degrades the performance of
>     input/output path.  People who do not use a firewall solution
>     the additional processing is pointless.
>
>     FreeBSD guys only added it due to mass requests of firewall
>     module brokenness.  In my opinion, it would be better to just
>     compile-in your firewall with a modified configuration; but
>     as I said, that is my opinion.

Yes, I do compile in firewall in kernel. But some people maybe dont. Or 
just need to load a firewall module in a quick hurry.
I really dont see the point of building firewall modules when the kernel 
afterall has to be rebuilt to make the modules work.

Could someone check if PFIL_HOOKS decreases system performance when not 
having any firewall activated?

Erik