OpenBSD Journal

Changes in IPFilter license to affect OpenBSD?

Contributed by Dengue on from the waffle dept.

tom writes : "It seems that the BSD community will have to face, presently and in the future, some copyright problems. In fact, the IPFilter code is copyrighted by Darren Reed who recently added the following to his license : "...Yes, this means that derivative or modified works are not permitted without the author's prior consent. " This little add radically changes the status of the software which can not be considered as open source anymore. Shall this modification influence the future of the OpenBSD project, who actually uses a modified version of IPFilter? source : "

(Comments are closed)

  1. By methodic () on

    Oh well, looks like we're just gonna have to start an OpenIPF project. :)

  2. By Darren Reed () on

    There's been *one* person out of many who has
    made an informed comment about this issue.
    Strangely it was not Theo or any of the
    illustrious leaders of any project.

    Unfortunately for most of you, it was a private
    comment and the person involved actually knew
    real things about contract law, etc. I've asked
    them to make the comment public but so far they
    have not (they also pointed out that it was not
    legal for OpenBSD+crypto to be shipped out of
    Canada prior to BXA changes so long as the crypto
    originated from the USA).

    If Theo or anyone else actually knew something
    then they'd have ignored this just as everyone
    else should. Obviously everyone thought they
    knew better when in fact they knew jack shit.
    In short, it meant that whilst possible to make
    such changes, they would be thrown out (if ever
    an attempt was made to enforce them) by any half
    decent court.

    I won't bother to mention that this change has
    only been present in a version that was made
    available for testing purposes only and was not
    an actual release. Given the amount of crap you
    all decided to fling my way you'll find various
    other changes, from time to time, in that LICENCE
    file as it suits MY needs. Maybe if you all had
    not of made such asses out of yourselves I'd not
    bother but the way you all think you know it all
    really bothers me. This applies to people from
    NetBSD and FreeBSD as well as OpenBSD.

    IPFilter IS NOT and HAS NEVER been a community
    project unlike what some people claim. There have
    been maybe a handful of people who have actually
    made any sort of significant contribution via code
    and even then it's more to help themselves as much
    as it is IPFilter.

    Other claims such as "you don't buy back our
    changes" are also a load of horse shit as I can
    confidently state that (for example) changes made
    by Theo to how securelevel is used within IPFilter
    were NEVER posted back to me so how he expected me
    to BUY BACK those is left for you to work out. I
    spend enough time making it work on other
    platforms and have little time to go chasing what
    other changes people make. Bad enough that I had
    to seek out and incorporate some changes such as
    the timeout changes in OpenBSD myself. Nobody
    even bothered to tell me about those and that was
    months ago.

    To go with all this crap, Theo even made threats
    about "I'll get the press onto you" and as a
    result some leper from LWR sent me an email saying
    he was doing an article on licencing this week.

    Threats do not scare me and I'll navigate IPFilter
    as I want to, not how some lamer in Canada thinks
    I should or how any other jock anywhere else wants
    me to. IPFilter is *MY* project and not anyone

    As you may have guessed, the attitude people took
    in their email to me has really got my goat and I
    care a whole lot less about a whole lot of BSD
    things as a result.

    p.s. if the editor removes any of that then he's
    just as much of an ass as the rest of you, except
    if he deletes this "p.s".

  3. By mirabilos () on

    IIRC the changes to the License affect only releases made thereafter. <br> So the current ipfilter remains, and there will be a code split between the "official" ipfilter and NetIPF, FreeIPF and OpenIPF. <br> This then will be licensed by the older terms. <br> But just my 0.02 EUR, I'm no lawyer...

  4. By proof () proof at ifconfig dot net on

    This is an interesting study in hot-headedness and quickness to flame, on all sides. Often times just because we misunderstand what others say or feel, we lash out. That's probably not an approprate response. Maybe taking a moment to see the other side would probably help.

    I hope no relationships were severed over something this small. No one's life is at stake, right?


    ... me goes back to listening to "The Sounds of Science" by the Beastie Boys

  5. By ted () on

    the beta that's now up for download contains the following line:

    * Redistribution is not permitted.

    but the individual files don't. so maybe it's not ok to redistribute the whole package, but individual files can be. ipf.c contains:

    * Redistribution and use in source and binary forms are permitted
    * provided that this notice is preserved and due credit is given
    * to the original author and the contributors.

  6. By COUDERC Damien () on

    I'm a user of OpenBSD since 2.3 (in fact first use was on 2.2, but the first install was 2.3 ;), and since this time i appreciated to use ipfilter.
    IMHO ,this is the best packet filter we can find in the world ...

    But now, i see that my favorite os project is in war with my favorite packet filter ... this is really annoying.

    I think that ipf made *BSD better and that *BSD help to demonstrate that ipf was better.

    But now if in the future ipf cannot be included in the default install, and if it is replaced by another filter of the same level, my choice will be quickly done.
    I use OpenBSD for a lot of reasons, and one of them is that i can install this os in 10min, so i don't want to lost time in installing ipf as external package.

    Now why launching a war against us if you have a problem with theo ? We all know that theo is hot-tempered, but is this a good argument to put fire BSD community under fire ?

    Anyway, i hope that this is only short time misunderstanding ...

    COUDERC Damien

  7. By David Xu () on

    This is always dangerous that whole BSD community
    rely their PACKETE FILTER on one person's toy
    package --- IPFILTER. fortunatly, FreeBSD has
    its IPFIREWALL, I don't use IPFILTER, so I don't
    care if IPFILTER will be in *BSD.


  8. By Intrepid| () on

    If you read the LWN article on this and Mr. Reed's "RIP" comment, there is actually an answer. According to the revised copyright law (made effective in 1998 I believe), after Mr. Reed passes away, whenever that may be, we just have to wait 70 years before his code goes into the public domain.

    So, don't worry.

    Joy. What a bloody mess.

    Unfortunately, and I really mean that, Mr. Reed seems to have the legalities behind him on this. So whoever that private individual was whom he states contacted him via email to tell him this, well, they were right. Copyright law for non-visual works grants exclusive rights to the author the rights of distribution, reproduction (making copies), and derivations (modifications).

    Note that by exclusive rights, I mean exclusive rights given to the author, which some may confused with the use of exclusive rights in copyright agreements, which are rights of copyrighted works wholly transferred to another--a different issue.

    Anyways, more to the point. The IPFilter license does not specify the last right, the right to modify. And the author retains those rights which are not specified (the rights are exclusive and inclusive, meaning that the rights are retained unless stated otherwise).

    Some of you out there may have noticed that Mr. Reed's IPFilter license did not include the frequently seen statement "All rights reserved" in his copyright notice. You may have interpreted this as a potential loophole. Under current law, you don't need that, so throw that theory out the door. He retains the right to modify, as he clarified.

    So far, I've really been talking US copyright law. But notice, that unlike crypto laws, copyright laws seem to extend from the author and go country to country, taking the shortest route. iow, even if copyright law in one country may somehow allow modifications, even if those other-country-legal modifications came to the US, the author (Mr. Reed) can claim copyright violations on US soil for US participants of that other code.

    Translation: This situation utterly sucks.

    While I agree with Mr. Reed's copyright claim, that's all I agree with. I do not agree with the sentiments that have come out of his clarification from him, particularly on this forum. And, in my personal opinion, the community has been misled. While Mr. Reed is under no direct obligation to enlighten us (users, developers, or project leaders all) of our mistake, he certainly did know of this limitation in the license, and, most importantly, he knew that the majority of the community generally was not clear on it. Even if project leaders or developers knew, *most* people did not.

    To (loudly? clearly? finally?) inform us on this late certainly doesn't make Mr. Reed a monster or what not, but to consider the whole picture, it also isn't exactly the actions of a person concerned with the community. Combine that with what this license clarification means...

    What does this clarification mean? To me, it seems that that if Mr. Reed does not port the code or grants someone else permission to port the code to a particular OS and the default IPFilter code does not work on that OS (even down to the version and incremental OS updates), it violates his copyright if someone distributes code to make IPFilter work. Even if done as a patch (a derivative work is a derivative work, regardless of form--you can see more on this if you look at fan extended stories/works of TV series or movies).

    It doesn't matter if Mr. Reed drops his code deliberately or not--if he passes away, if he's behind keeping up, it's still a violation. Worse, he can reassure us all day that he will continue to provide updated code to all the BSDs, and then, one day, stop doing so. If an incompatibility or security hole comes up that he does not correct or grants permission to someone to correct, we're screwed.

    iow, it would appear that he controls features, code updates, security fixes, which OS it gets ported to, which version of IPFilter runs under what OS version, etc. He could, if under the current license, even play around and do favorites--maybe he decides he likes one OS better than another, so he'll update that one faster. Or feels the FreeBSD community is treating him a better, so he'll implement the latest and greatest for them first, with a large wait before seeing the changes implement in "competing" OSs.

    Note that I'm not saying that these things will come to pass or that my paranoia is accurate, but we also have no concrete and definitive knowledge under the current IPFilter license that they will not.

    Unless there is a change in the IPFilter license, I think an OpenIPF project may be warranted. If and until it does, in the meantime, I would urge people to politely ask Mr. Reed to change his license to save us both time and prevent a duplication of effort. IPFilter is excellent software. Just the license stinks.

    P.S. Note that this is not a failing of a BSD license. IPFilter's license simply is not a BSD license--the BSD license, both the original and the one without the advertising clause, clearly grants the right to modify code.

    P.S.S. Copyright extends to pseudonyms (actually, they are granted very slightly more rights than individuals) and to all posted works, even if without a copyright notice given. Funny, eh? :/

  9. By Paulo Laureano () on

    I like IPF.

    However I will go with whatever package OpenBSD adopts. I trust the OS package more than the ports (for obvious reasons) and the only way I would use a port (if at all available) would be for the lack of another option.

    I feel sorry for all this mess...

  10. By Roland Goetz () on

    Mr. Reed, I like your really fine product like the whole community, which did rely on your work. But I think you must change your license at least to GPL. Also you will see if we want to use your IPFilter in the future it have to have the possibility to be modified. It's a great pity if there will started another project. Excuse my english I am a German.
    Sincerely yours
    Roland Goetz

  11. By Darren Reed () on


    You will all be pigleet!

  12. By Ron J. Foster () on

    Well guys and gals, we have successfully managed to dig ourselves in to a hole. IPF is great software, and there is really no need to start our own OpenIPF. I don't think I'm just taking for myself here, but we don't have the time to start this project, there are too many other things that have to be done. Criticizing Darren Reed will just make this harder on all of us. We still don't have low level encrypted disk support, wouldn't that me more time efficient then OpenIPF, or what about all these new patches to the OpenBSD kernel that have been released lately ( to mention one), at some stage we should integrate them into the mainstream kernel. I can list many more tasks if anyone thinks we have time.

    Darren Reed: It's advisable for both our parties to come to an agreement shortly about this licensing dilemma. At this point we have two options, a license that we can use or creating our own project. I can't stress enough how the latter is a bad choice, but we'll do what we have to do; I hope you understand.

    All the rude posters: Are you actually coding software, are you going to contribute to the OpenIPF effort, because if your not going to I suggest for everyone's benefit you don't give the hard working developers MORE work to do. This isn't about politics, or about who is right, or who is the bigger man, it's about being about to run a fully free and modifiable operating system at work or at home. We could have possibly dogged this bullet by being nice to Darren from that start, he may had changed the license right away for us.

    Darren, I apologize for everyone that has been giving you slack recently about this situation. Your IPF is necessary one way or another to the OpenBSD effort, you have done a wonderful job coding and designing (people often forget this time consuming part), and we as a whole would like to start over with you. Please consider modifying your license asap so we can all go back to getting our work done. There are already to few hours in the day.


  13. By tom () on

    I'm the one who posted the little note about IPF licensing, and I do really regret that post. Some people are so straight minded... shame on you, folks who flame so easily and don't even write a single line of code...

    Darren I do really apologies for all the mess here... I did not intend to start such a war, really.

    Btw you have to admit that changing your license in such a way is not acceptable for those people who write code and whose project depends, for a great part, on your IPFilter. Your license is not applicable to free software projects, I'm sure you do agree.

    Now the big question is : do you want, or not, your piece of software (a great piece, indeed) to take part of free software projects? I hope you do. Things must be clarified.

  14. By Lamont Granquist () on

    Darren, I hope you can take a really big deep breath and let all this shit roll off of you. For what its worth, not only do I realize that legality is on your side, but I can understand why you licensed IPF the way that you did -- and support that you've got every right to do so.

    If Theo was actually an adult he'd accept your licensing restrictions and then make a choice about weither or not to include your code in the OpenBSD project.

  15. By Anonymous Coward () on

    With Darren's interpretation of the license a fork of IPF is not legal.

    This leaves the following choices.

    1. Start a new project or find another one.
    2. Accept Darren's interpretation and work with him to allow its inclusion in OpenBSD
    3. Work with lawyers to find a legal loophole that would make a fork legal.

    I believe that it is quite clear that Darren perceives the license as one similar to how Microsoft allows some of its customers to view its source without conveying additional

    Unfortunately the failed expectations of many have lead to many heated discussions.

  16. By Blah () blah@[] on http://localhost

    Date: Tue, 29 May 2001 19:13:11 -0600
    From: Theo de Raadt
    Subject: ipf
    Precedence: bulk

    sometime in the next 20 hours, i will be removing ipf from the source
    tree since it does not meet our freedom requirements, as have been
    outlined in policy.html and goals.html since the start of our project.

    we will have to work on an alternative.

  17. By ted () on

    i realized this while discussing patches and licenses in an above thread. but i think it's pretty important.

    darren's license doesn't let you modify the software. that means you can't add a feature or fix a bug. so you can't submit patches to darren. all of the code in ipf that was submitted by contributors is illegal. they modified ipf - they broke the license. they distributed a modification - they broke the license again.

    if you are going to literally read exactly what the license says, that's what it means.

    darren, maybe you're still reading. hopefully you realize that all the submitted code is now illegal, by your definition. so are you going to remove it? (i think that'd be pretty stupid, but that's what your interpretation of the license would require.)

  18. By BluNereid () on

    Some Whois results for

    600 N. Chowning Avenue
    Apt. W110
    Edmond, OK 73034-5110

    Domain Name: OPENIPF.ORG

    Administrative Contact:
    Fries, Todd
    600 N. Chowning Avenue
    Apt. W110
    Edmond, OK 73034-5110

    Technical Contact:
    PO box 2031
    ann arbor, mi 48106-2031
    734 623 0456

    Billing Contact:
    Fries, Todd
    600 N. Chowning Avenue
    Apt. W110
    Edmond, OK 73034-5110

    Record last updated on 29-May-2001.
    Record expires on 25-May-2002.
    Record Created on 25-May-2001.

    Domain servers in listed order:

  19. By Raymond Causton () rc at on mailto:rc at

    First of all I'd like to extend my gratitude to you for creating my favourite firewall/filtering package for OpenBSD. Expecially I like the syntax of ipf's rules as they are the only human readable ruleset language I've found uptodate.

    How I perceive this entire mess of flaming each other about the license is very childish and doesn't do any good to any party in this discussion.

    I acknowledge that you have all the rights in the world to distribute your code and binaries just as you wish with the license that you wish to use.

    All I'm worried about is that if (as) your license change has prompted ill actions from all *BSD projects we in the user community will be left without uptodate protection from the threats coming from the Internet.

    It seems that the main concern of different *BSD projects is that they are not able to apply fixes in to their operating system as they are found because of the modification restriction in the license. It seems that this translates to the fear of what if you will not have time/interest to support operating system Y in the future and they are restricted from helping themselfs to fix possible problems because of the modification restriction.

    My suggestion would be to start negotiations with the *BSD projects to settle this dispute between you and the different projects by granting such licenses to the different Open/Free/NetBSD projects that ipf may be used and modified by the projects when used in their respective *BSD operating systems. This way you retain control over the general use and modification of ipf and most likely this would give enough leeway to the different *BSD projects aswell.

    I hope you read this before this dispute goes too far to be settled peacefully.

    Yours Sincerely, Raymond Causton ITSec Professional

  20. By Anonymous Coward () on

    Somewhere along this thread Darren said:
    All that matters to me is IPFilter

    Good, now go install and boot IPFilter.


  21. By Jason Consorti () nunya on

    Here is my theory, I have no evidence to back this up but tell me if I sound off the mark:

    From what I can gather from Darren's postings here and the ipfilter mailing list, it seems that for the history of the project, Darren was himself under the impression that his license allowed use AND modification with trivial restrictions. Then, after some kind a of disagreement with Wasabi and/or OpenBSD, he got angry and wanted to find out what he can do about his project being used by other projects. After talking to a lawyer, he discovered that his license never explicitly said anything about "modify" and he decided to play that card against Wasabi and/or OpenBSD.

    Read the following (in no particular order):

    Don't take this as an opinion of anything that has happened; I don't know enough to form one.

  22. By Buck Pyland () buck@bfg9000.localdomain on

    It seems that everybody involved in this issue are being dicks. Everybody knows Theo's a dick. Darren Reed, through his postings and comments, is just as much a dick as Theo. Get over yourself, mate. Yeah, you wrote some great software that people seem to like using, but so did Theo. Quite frankly, your shit stinks like everyone elses.

    Summary for the mentally retarded in this issue:
    1) Theo & co. should have seen this coming before including ipf in OpenBSD.
    2) Darren should have made his license totally clear and unambiguous from the start.
    3) Both the aforementioned persons have severe personality problems, but nothing that Prozac and a .38 caliber bullet to the head wouldn't cure.
    4) Everyone else should just relax.

  23. By RoadKiLL () on

    Its his code and if he want's to be a weenie, so be it. Many of us have contributed code without so much as a thankyou mam. 10's of thousands of GPL and BSD licenced projects and packages attest to this fact. Those of us who did contribute have felt satisfied with the knowledge that we were able to give back something in return for all that we had received. One piss ant project won't even rate a blip on the radar and now that he has decided to react so violently to concerns raised about the inclusion of his work in the BSD disto's only highlights the need to eradicated it entirely.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]