From owner-svn-src-projects@freebsd.org Mon Apr 1 07:31:09 2019 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D2B1158EFAD for ; Mon, 1 Apr 2019 07:31:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 930BE89414; Mon, 1 Apr 2019 07:31:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 6ED761A307; Mon, 1 Apr 2019 07:31:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.69.87.58] (unknown [149.11.171.2]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 1D6AC2E23E; Mon, 1 Apr 2019 09:31:07 +0200 (CEST) From: "Kristof Provost" To: "Cy Schubert" Cc: "Ed Schouten" , src-committers , svn-src-projects@freebsd.org Subject: Re: svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl Date: Mon, 01 Apr 2019 09:31:06 +0200 X-Mailer: MailMate (2.0BETAr6135) Message-ID: <9E67836D-5E66-4E82-AB3F-F854AE008759@FreeBSD.org> In-Reply-To: <201904010728.x317SWXD076162@slippy.cwsent.com> References: <201904010728.x317SWXD076162@slippy.cwsent.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 930BE89414 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 07:31:09 -0000 On 1 Apr 2019, at 9:28, Cy Schubert wrote: > In message , Kristof > Provost > writes: >> >> >>> On 1 Apr 2019, at 08:39, Ed Schouten wrote: >>> >>> Op ma 1 apr. 2019 om 07:53 schreef Kristof Provost : >>>> Users are advised to migrate to ipf. >>> >>> Has anyone considered importing netfilter/iptables? >>> >> Nftables, surely? >> We wouldn’t want to import their outdated firewall. > > Does it support RFC 1149 and RFC 2549? None of our firewalls do. Then > again, neither does our stack. How difficult would it be to support > this? > I’ve done some investigating, and the current research indicates that while it is possible to filter RFC 1149 and RFC 2549 it’s very hard to train the falcons, and it does make a bit of a mess when you drop packets. Regards, Kristof