Date: Tue, 20 Aug 2019 14:31:56 +0200 From: Tom Marcoen <tom.marcoen@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: =?UTF-8?B?R29yYW4gTWVracSH?= <meka@tilda.center>, mlaier@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Update to PF from OpenBSD 6.5 Message-ID: <CAJ-iVrMgN7AExyr-c6GZxmc2jzZmc3Fr2uAPDt7A1FCjhgL92g@mail.gmail.com> In-Reply-To: <9723E5F9-8883-4629-9B32-2485F57E89AA@FreeBSD.org> References: <CAJ-iVrOfPZK_HKnXz=JQGSbUt7NG=00dYhDHKT8cSzmEfY1cBw@mail.gmail.com> <85968D92-66E6-4024-83C9-D82C115A35FE@FreeBSD.org> <20190820103214.tc5x23tjiecp3kkx@hal9000.home.meka.rs> <9723E5F9-8883-4629-9B32-2485F57E89AA@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Kristof, Thatnk you for your very thorugh explanation! It is very interesting to read that FreeBSD's PF is, in some ways, "better" than OpenBSD's (with regards to scalability). It was also very simplistic to state FreeBSD's version of PF essentially equals OpenBSD 4.1's version. I made this statement based on the information on http://pf4freebsd.love2party.net/: " In HEAD - pf is at OpenBSD 4.1 - at this time." Of course this website might be outdated (it gives a date of March 8, 2004!) but it also presents it in a very simplistic manner. Anyway, thanks again for the many insights. On Tue, 20 Aug 2019 at 13:06, Kristof Provost <kp@freebsd.org> wrote: > On 20 Aug 2019, at 12:32, Goran Meki=C4=87 wrote: > > On Tue, Aug 20, 2019 at 11:49:18AM +0200, Kristof Provost wrote: > > One thing I=E2=80=99ve thought of trying, and that might be an interestin= g stepping > stone, is to create a port (/usr/ports/net/opf or whatever) of OpenBSD=E2= =80=99s > pf. > In that version it=E2=80=99d be acceptable to not fix any of the above is= sues. It=E2=80=99d > still give users to option of getting the new syntax. I=E2=80=99d expect = this to be > a relatively straightforward exercise. > > That would be cool, but only if FreeBSD PF can not be "fixed" to support > OpenBSD PF syntax. > > The main issue there is one of compatibility. How happy will our users be > if their rulesets suddenly stop working after an upgrade? > > Anyway, none if this is on my active todo list. Don=E2=80=99t expect to s= ee it any > time soon. > > In principle there=E2=80=99s nothing to stop us from doing that same work= in base, > but we=E2=80=99re **NOT** going to import a fourth firewall. We=E2=80=99r= e just not. > > Are you sure? https://2019.eurobsdcon.org/talk-speakers/#NPF. At least I > hope the import is pfil based. > > I don=E2=80=99t know what George=E2=80=99s plans are exactly, but it=E2= =80=99s likely that he=E2=80=99s > doing the porting work to get an apples-to-apples comparison of firewall > performance, not because he wants to maintain another firewall. > Either way, I=E2=80=99m not pushing for another firewall. George gets to = own one > if he wants to. > > Regards, > Kristof >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-iVrMgN7AExyr-c6GZxmc2jzZmc3Fr2uAPDt7A1FCjhgL92g>