pf(4) status in 7.0-R

Max Laier max at love2party.net
Sat Jun 2 20:42:53 UTC 2007


On Saturday 02 June 2007, Michal Mertl wrote:
> Max Laier wrote:
> > [ moving this to the more specific list ]
> >
> > On Friday 01 June 2007, LI Xin wrote:
> > > Stanislaw Halik wrote:
> > > > Heya,
> > > >
> > > > Are there any plans to sync pf(4) before 7.0-R? OpenBSD has some
> > > > neat stuff in it, including expiretable functionality, which
> > > > would come in handy.
> > >
> > > Last time I have talked with Max (Cc'ed) about the issue, we
> > > finally figured out that porting the whole stuff would need some
> > > infrastructural changes to our routing code, which could be risky
> > > so we wanted to avoid it at this stage (about 15 days before
> > > RELENG_7 code freeze).  On the other hand, some functionality (like
> > > the expiretable feature) does not seem to touch a large part of
> > > kernel and might be appropriate
> > > RELENG_7(_0) candidate.
> > >
> > > Could you please enumerate some features that FreeBSD is currently
> > > lack of and are considered "high priority" so we will be able to
> > > evaluate whether to port?
> > >
> > > BTW.  Patches are always welcome, as usual :-)  So don't hesitate
> > > to submit if you already did some work.
> >
> > ditto.  I'd like to import a couple of features on a per-feature base
> > rather than doing a complete import which isn't possible anymore due
> > to SMP and routing code changes.
> >
> > Submit your list of features and I'll see what I can do this weekend.
> >  My list includes:
> >
> > - keep state and flags S/SA to default
> > - improved state table purgeing (this is internal, but a huge
> > benefit) - interface handling (groups etc.)
> > - pfsync / pflog update (not 100% sure about these due to libpcap /
> > tcpdump dependency)
> >
> > While at it, I might also introduce needed ABI breakage for netgraph
> > interaction.
> >
> > Anything else?
>
> The updated ftp-proxy - the one in the tree does not rewrite source IP
> address of data connections and some firewalls (e.g. Windows Firewall)
> don't let the connection through. It should be pretty easy to import -
> the program it already in some form in the ports tree.

How do people feel about removing ftp-proxy from the base altogether?  I 
think it's better off in ports anyway.  Opinions?

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20070602/a63b5735/attachment.pgp


More information about the freebsd-current mailing list