PF from OpenBSD 4.7

Damien Fleuriot ml at my.gd
Mon Feb 21 08:18:28 UTC 2011 

On 20 Feb 2011, at 23:16, Maxim Khitrov <max at mxcrypt.com> wrote:

> On Sun, Feb 20, 2011 at 4:16 PM, jhell <jhell at dataix.net> wrote:
>> 
>> On Sun, 20 Feb 2011 13:27, eirnym@ wrote:
>>> 
>>> On 20 February 2011 06:50, jhell <jhell at dataix.net> wrote:
>>>> 
>>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote:
>>>>> 
>>>>> I heard while ago about packet filter update coming, but there're no
>>>>> news about. Which status of this update?
>>>>> 
>>>> 
>>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in
>>>> the
>>>> archives for HEAD.
>>>> 
>>> 
>>> Differences between pf45 and pf47 are more smaller than between pf45
>>> and current pf.
>>> 
>>> I've found them, but there no status about. Should I ask same question
>>> in freebsd-current@ mail list?
>>> 
>> 
>> Difference being that after pf45 there was a syntax change that is nearly
>> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was
>> voted as the most likely to be merged into HEAD.
>> 
>> There is an email from Theo @openbsd.org about the syntactic changes that
>> have made people a little jumpy at adopting pf > 45 but eventually it will
>> work its way in.
>> 
>> What advantages to using pf47 over using pf45 have you found in ``real use''
>> ? and how realistic are those changes for the masses ?
> 
> The firewall (FreeBSD 7.3) that I manage at work currently contains 36
> nat/rdr rules and 39 filter rules. It's responsible for passing
> traffic between 4 different networks. After reading the OpenBSD pf
> FAQ, the biggest advantage that I see of pf47+ is the ability to
> combine related filter/nat/rdr rules, making the entire ruleset easier
> to maintain.
> 

See it another way, you've got as little as 70 rules to maintain, overall.

I have 1k ish spread over roughly 20 PF boxes.

While I yearn for the ability to use include directives and such, my main concern remains that during an upgrade the risk be minimal.

> Personally, I would love to see the latest version of pf make it into
> FreeBSD 9 or even one of the 8.x releases. Compatibility with existing
> syntax is not as important to me as the ability to simplify my set of
> rules.
> 

As a matter of fact and without considering wether this would be doable or not:

It would be awesome to be able to choose in the kernel config file the desired version for pf.

Have both pf45 and pf47, with the current "pf" entry referring to pf45 not to break anything.


Would that even be feasible guys ?



> - Max
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list