Getting Involved
Greg Hennessy
Greg.Hennessy at nviz.net
Sat Jan 21 23:37:56 UTC 2012
> >
> There is one catch.
> FreeBSD does not want to break compatibility of old syntax and that is why
> i did not port the latest version of pf(4).
Shades of the versioning/maintenance issues surrounding putting Perl in the base way back in the day.
> What is there now makes it 'trivial' to go to the latest pf(4) version in
Does that include the performance improvements which came with new version?
Would be interesting to know what impact if any they would have on the FreeBSD PF port.
> Open but there needs to be a layer of translation
> for the old syntax to new syntax.
As a one off translation when someone upgrades Major version numbers to the FreeBSD version hosting the new PF code?
Or run every time when someone loads the security policy for now and the foreseeable future?
> That is the only reason its not been done.
I can see the issues, hope it's not intractable.
The new syntax is a significant improvement, shame about lack of thought given to backward compatibility.
With your expert knowledge on this Ermal, is it possible to run both old and new PF parsers in there to generate a policy which would run against the newer packet filtering engine code?
Defaulting to the old syntax, with say something like a ' later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of pf.conf to switch to the new syntax?
Regards
Greg
More information about the freebsd-pf
mailing list