From owner-freebsd-pf@freebsd.org Thu Feb 27 09:21:11 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 805C525A0CE for ; Thu, 27 Feb 2020 09:21:11 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48SnGY6DgKz47xL for ; Thu, 27 Feb 2020 09:21:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 90AA612718 for ; Thu, 27 Feb 2020 09:21:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.183.1] (ptr-8rg5e4fkliivy5q45h6.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:2408:6002:453c:fdb5:7656:62ba]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 12C70C1CB for ; Thu, 27 Feb 2020 10:21:07 +0100 (CET) From: "Kristof Provost" To: freebsd-pf@freebsd.org Subject: Re: Updating our translation functionality Date: Thu, 27 Feb 2020 10:21:06 +0100 X-Mailer: MailMate (1.13.1r5671) Message-ID: <966CF6DF-0EFF-4F92-924C-552F4F72A6A0@FreeBSD.org> In-Reply-To: <20200227100837.02d60d16@opal.com> References: <20200227100837.02d60d16@opal.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 09:21:11 -0000 On 27 Feb 2020, at 10:08, J.R. Oldroyd wrote: > I read back and found the thread last August "Update to PF from > OpenBSD > 6.5". > > I was going to ask the same thing but, given the complexities > discussed > in the responses there, perhaps the question should be asked a > different > way round. > > How much work would it be to add in OpenBSD's latest translation > functionality to our implementation? > > OpenBSD's pf has new translation functionality, specifically nat64 > support using the "af-to" syntax. At the same time, existing > translation syntax was changed with the nat, binat and rdr rule > syntax changing to "pass ... nat-to ..." etc. > > I think it is good that we are still called "pf" here and that we do > try > to maintain compatibility with other pf implementations. So, we > should > consider adding the new translation functionality to our > implementation. > Understood that this means requiring changes to existing pf.conf > configurations but these can be documented with examples and announced > in advance. > > How big of a project would this be? > I don’t know. I’ve not specifically investigated the nat64 bits, and they’re (to me) the least interesting bits as well. It’s possible that they can be imported without too much trouble, but someone would have to sit down and spend the time on it. Right now this isn’t even on my todo list and I’m not planning to add it either. Given that this change would break compatibility with existing configurations (unless significant extra work is done to cope with this) I’m not keen on it. I’d need to see very good arguments for introducing an intermediate painful step between the current situation and a state where we have the same syntax as OpenBSD. If you’re looking for nat64, IPFW has an implementation. Best regards, Kristof