Re: GENERIC and firewall modules

[Michel Talon <talon@xxxxxxxxxxxxxxxx>]

Hiten Pandya wrote:
x
>     Last time I checked, PFIL_HOOKS degrades the performance of
>     input/output path.  People who do not use a firewall solution
>     the additional processing is pointless.

I was among the people ranting for the inclusion of PFIL_HOOKS.
It is stupid to have /etc/rc scripts which allow to load the
ipfilter module (or the pf module), to have those modules compiled, and 
not be able to load them. It was even a security hasard because you may 
very well be unaware that the firewall module has not loaded. I
consider that for most people, the use of firewall software on their 
machine is imperative, and of course this use has performance penalties.
In my opinion those few people who don't need firewall software, because 
they are already protected behind another firewall, and who don't want 
to encur the performance penalty of PFIL_HOOKS, may very well recompile 
their kernel without this option. In many cases it is ways inconvenient 
to recompile a kernel (suppose for example you have fifty machines in a 
lab, all with different kernel configuration!). So in my opinion one
should favor the system which causes less headache and less work for the 
maximum number of people.

>     FreeBSD guys only added it due to mass requests of firewall
>     module brokenness.  In my opinion, it would be better to just
>     compile-in your firewall with a modified configuration; but
>     as I said, that is my opinion.
>
>         -Hiten
>         hmp@xxxxxxxxxxxxx