From owner-freebsd-pf@FreeBSD.ORG Mon Jan 23 09:08:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49191106564A for ; Mon, 23 Jan 2012 09:08:52 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0E4408FC08 for ; Mon, 23 Jan 2012 09:08:51 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so4082180obc.13 for ; Mon, 23 Jan 2012 01:08:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=mrf+g10cSyu3CR9ElLwdua/2eOyQANnpSBhuqy7Xljw=; b=smQnnD9xWiJTNypXBzQi55lzb4c+oRNYAkzRb7z9S0HmnoC50yuPHl3RLNp6ncWUab QefezZ7Rq3oT5yOqxsoHe2TJbcF3uvvW+2hYlY4ZiBCLKLzML8gjm2wNuxo2RIA868d7 jN2ta5Rb7XR4QWdXPlnZX5WtMCOov28t0eoQg= MIME-Version: 1.0 Received: by 10.50.173.98 with SMTP id bj2mr9570273igc.27.1327309731240; Mon, 23 Jan 2012 01:08:51 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Mon, 23 Jan 2012 01:08:51 -0800 (PST) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> Date: Mon, 23 Jan 2012 10:08:51 +0100 X-Google-Sender-Auth: kLflH50-D959PO1Tal0KcS-wjAs Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Greg Hennessy Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: Getting Involved X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 09:08:52 -0000 On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy wrote: > > > > > There is one catch. > > FreeBSD does not want to break compatibility of old syntax and that is > why > > i did not port the latest version of pf(4). > > Shades of the versioning/maintenance issues surrounding putting Perl in > the base way back in the day. > > > What is there now makes it 'trivial' to go to the latest pf(4) version in > > Does that include the performance improvements which came with new version? > Would be interesting to know what impact if any they would have on the > FreeBSD PF port. > > > Open but there needs to be a layer of translation > > for the old syntax to new syntax. > > As a one off translation when someone upgrades Major version numbers to > the FreeBSD version hosting the new PF code? > Or run every time when someone loads the security policy for now and the > foreseeable future? > > > That is the only reason its not been done. > > I can see the issues, hope it's not intractable. > The new syntax is a significant improvement, shame about lack of thought > given to backward compatibility. > > With your expert knowledge on this Ermal, is it possible to run both old > and new PF parsers in there to generate a policy which would run against > the newer packet filtering engine code? > Defaulting to the old syntax, with say something like a ' > later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of > pf.conf to switch to the new syntax? > > Its not that simple but workable with a policy definition of how what the translation layer does. > > Regards > > Greg > > > > > > -- Ermal