Date: Mon, 23 Jan 2012 10:08:51 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Getting Involved Message-ID: <CAPBZQG04b-2KcwUExdvxenu8YganO3%2B6u8egyFkttowxbK2ewg@mail.gmail.com> In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <CAConN%2BkZquK7MJ_6YPtEV=sJdqC%2BniRqMmp2ZgQL%2Bo2m1wvXSQ@mail.gmail.com> <CAPBZQG2S9T4v_4g09mXaukG4o3_4w8h51py6-iPoA%2BgmsuenUw@mail.gmail.com> <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy <Greg.Hennessy@nviz.net>wrote: > > > > > There is one catch. > > FreeBSD does not want to break compatibility of old syntax and that is > why > > i did not port the latest version of pf(4). > > Shades of the versioning/maintenance issues surrounding putting Perl in > the base way back in the day. > > > What is there now makes it 'trivial' to go to the latest pf(4) version in > > Does that include the performance improvements which came with new version? > Would be interesting to know what impact if any they would have on the > FreeBSD PF port. > > > Open but there needs to be a layer of translation > > for the old syntax to new syntax. > > As a one off translation when someone upgrades Major version numbers to > the FreeBSD version hosting the new PF code? > Or run every time when someone loads the security policy for now and the > foreseeable future? > > > That is the only reason its not been done. > > I can see the issues, hope it's not intractable. > The new syntax is a significant improvement, shame about lack of thought > given to backward compatibility. > > With your expert knowledge on this Ermal, is it possible to run both old > and new PF parsers in there to generate a policy which would run against > the newer packet filtering engine code? > Defaulting to the old syntax, with say something like a ' > later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of > pf.conf to switch to the new syntax? > > Its not that simple but workable with a policy definition of how what the translation layer does. > > Regards > > Greg > > > > > > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG04b-2KcwUExdvxenu8YganO3%2B6u8egyFkttowxbK2ewg>