Date: Tue, 20 Nov 2012 09:16:58 -0500 From: Fbsd8 <fbsd8@a1poweruser.com> To: Olivier Smedts <olivier@gid0.org> Cc: Gary Palmer <gpalmer@freebsd.org>, Paul Webster <paul.g.webster@googlemail.com>, freebsd-current@freebsd.org Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. (Copied from freebsd-pf) Message-ID: <50AB90DA.4010404@a1poweruser.com> In-Reply-To: <CABzXLYPNj3FxpsPZ5gO_p5kjFX441m3zpKT9eHRyXvXEyjpqjw@mail.gmail.com> References: <op.wn1vxr1jjfousr@box.dlink.com> <CABzXLYPYtQanh5O6%2BTH0=e46P990iXcDoB0apY_BOtzmn9-S7Q@mail.gmail.com> <20121120121333.GB88593@in-addr.com> <CABzXLYPNj3FxpsPZ5gO_p5kjFX441m3zpKT9eHRyXvXEyjpqjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Olivier Smedts wrote: > 2012/11/20 Gary Palmer <gpalmer@freebsd.org>: >> On Tue, Nov 20, 2012 at 11:43:04AM +0100, Olivier Smedts wrote: >>> 2012/11/20 Paul Webster <paul.g.webster@googlemail.com>: >>>> I am aware this is a much discussed subject since the upgrade of PF, I >>>> believe the final decision was that to many users are used to the old >>>> style pf and an upgrade to the new syntax would cause to much confusion. >>> But a change like this is expected in a new major branch, ie. >>> 10-CURRENT. Not so in -STABLE branches of course. I don't see the >>> problem here. >> So you don't expect people to upgrade boxes in place? > > I expect that before upgrading to a *major* version you should read an > updating or "what's changed" documentation. > >> I also guess you've never been 5,000 miles away from a box and typo'd something >> in the firewall and locked yourself out. The think how tons of FreeBSD >> users would feel if the default pf syntax was changed to be incompatible and >> they find themselves in a similar situation after an upgrade. Defaulting to >> open, while it could solve the problem (although I would suspect there could >> be edge cases where it doesn't), could be bad for other reasons. > > This already happened to me but, no, not during a major upgrade > because I won't do this kind of work without at least someone on-site. > >> The other question that I haven't seen answered (or maybe even asked), but >> is relevant: what do we gain by going to a later version of pf? I.e. as an >> administrator, what benefit do I get by having to expend effort converting >> my filter rules? >> >> Gary > > At some time we'll surely *have* to upgrade our pf, because the legacy > version won't be supported upstream. I say that a major release is the > most appropriated place for such a change. > > Another question : how did OpenBSD managed this change ? > > Cheers > Hay I have been down this road myself. It's no longer possible to just re-port the current OpenBSD version of PF to FreeBSD. The FreeBSD version has been rewritten. Read all the threads shown in this post for all the gory details. [HEADS UP] merging projects/pf into head http://lists.freebsd.org/pipermail/freebsd-pf/2012-September/006740.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50AB90DA.4010404>