eri at freebsd.org
Mon Jan 23 09:08:52 UTC 2012
On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy <Greg.Hennessy at nviz.net>wrote:
> > >
> > There is one catch.
> > FreeBSD does not want to break compatibility of old syntax and that is
> > i did not port the latest version of pf(4).
> Shades of the versioning/maintenance issues surrounding putting Perl in
> the base way back in the day.
> > What is there now makes it 'trivial' to go to the latest pf(4) version in
> Does that include the performance improvements which came with new version?
> Would be interesting to know what impact if any they would have on the
> FreeBSD PF port.
> > Open but there needs to be a layer of translation
> > for the old syntax to new syntax.
> As a one off translation when someone upgrades Major version numbers to
> the FreeBSD version hosting the new PF code?
> Or run every time when someone loads the security policy for now and the
> foreseeable future?
> > That is the only reason its not been done.
> I can see the issues, hope it's not intractable.
> The new syntax is a significant improvement, shame about lack of thought
> given to backward compatibility.
> With your expert knowledge on this Ermal, is it possible to run both old
> and new PF parsers in there to generate a policy which would run against
> the newer packet filtering engine code?
> Defaulting to the old syntax, with say something like a '
> later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of
> pf.conf to switch to the new syntax?
Its not that simple but workable with a policy definition of how what the
translation layer does.
More information about the freebsd-pf