From owner-freebsd-current@FreeBSD.ORG Wed May 4 00:35:58 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DA8B16A4CE for ; Wed, 4 May 2005 00:35:58 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F4D143D5A for ; Wed, 4 May 2005 00:35:56 +0000 (GMT) (envelope-from sam.wun@tech-21.com.hk) Received: (qmail 52898 invoked from network); 4 May 2005 00:35:53 -0000 Received: from unknown (HELO [192.168.4.235]) (samwun@hgcbroadband.com@[221.126.243.95]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 4 May 2005 00:35:53 -0000 Message-ID: <427818E0.2070702@tech-21.com.hk> Date: Wed, 04 May 2005 08:35:44 +0800 From: sam User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <200505031604.21311.max@love2party.net> <200505031954.13739.max@love2party.net> In-Reply-To: <200505031954.13739.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-current@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: HEADSUP: pf import [done] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2005 00:35:58 -0000 Max Laier wrote: >All, > >the import went through smoothly and you should be able to get it from a >cvs(up) server near you by now. Some general, random notes: > >1) Anchor syntax changed >| Users of authpf(8) must change their anchor rule in the main ruleset from >| anchor authpf >| to >| anchor "authpf/*" > >2) pfsync takes syncdev instead of syncif: When configuring the pfsync device, >use 'syncdev' instead of the deprecated keyword 'syncif'. >3) authpf(8) needs a mounted fdescfs(5) >4) synproxy no longer works on outgoing rules (it never should have) >5) The code has been tested, but there is always a chance that some bugs >remain unfound. If you spot anything, please let me know. > >Features that are in OpenBSD, but not yet in FreeBSD: > - Filtering on route labels (we don't have any). > - Return-rst on IP-less bridges (bridge support is still behind; There is > work ongoing to improve this as well, though.). > - Congestion prevention/graceful comeback (subject to future work). > >New features (from the OpenBSD release announcements): > + pfctl(8) now provides a rules optimizer to help improve filtering speed. > + pf, now supports nested anchors. > + Support limiting TCP connections by establishment rate, automatically > adding flooding IP addresses to tables and flushing states > (max-src-conn-rate, overload , flush global). > + Improved functionality of tags (tag and tagged for translation rules, > tagging of all packets matching state entries). > + Improved diagnostics (error messages and additional counters from > pfctl -si). > + New keyword set skip on to skip filtering on arbitrary interfaces, like > loopback. > + Several bugfixes improving stability. > > > Is the new import included in 5.4 Release? Sam