From owner-freebsd-pf@FreeBSD.ORG Sun Feb 20 23:10:09 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1DC7106566B for ; Sun, 20 Feb 2011 23:10:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 3F9348FC12 for ; Sun, 20 Feb 2011 23:10:08 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 4142241C705; Mon, 21 Feb 2011 00:10:07 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id LoJCBeiDIjHG; Mon, 21 Feb 2011 00:10:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 43AEB41C6B4; Mon, 21 Feb 2011 00:10:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id A853D4448F3; Sun, 20 Feb 2011 23:06:15 +0000 (UTC) Date: Sun, 20 Feb 2011 23:06:15 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Maxim Khitrov In-Reply-To: Message-ID: <20110220225113.E13400@maildrop.int.zabbadoz.net> References: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: (no) PF from OpenBSD 4.7: X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2011 23:10:09 -0000 On Sun, 20 Feb 2011, Maxim Khitrov wrote: Hey, > On Sun, Feb 20, 2011 at 4:16 PM, jhell wrote: >> >> On Sun, 20 Feb 2011 13:27, eirnym@ wrote: >>> >>> On 20 February 2011 06:50, jhell wrote: >>>> >>>> On Fri, 18 Feb 2011 03:26, eirnym@ wrote: >>>>> >>>>> I heard while ago about packet filter update coming, but there're no >>>>> news about. Which status of this update? >>>>> >>>> >>>> This was for OpenBSD pf45 not pf47. The patchset should be somewhere in >>>> the >>>> archives for HEAD. >>>> >>> >>> Differences between pf45 and pf47 are more smaller than between pf45 >>> and current pf. >>> >>> I've found them, but there no status about. Should I ask same question >>> in freebsd-current@ mail list? >>> >> >> Difference being that after pf45 there was a syntax change that is nearly >> incompatible with the current pf41-45 syntax so AFAIR based on that pf45 was >> voted as the most likely to be merged into HEAD. >> >> There is an email from Theo @openbsd.org about the syntactic changes that >> have made people a little jumpy at adopting pf > 45 but eventually it will >> work its way in. >> >> What advantages to using pf47 over using pf45 have you found in ``real use'' >> ? and how realistic are those changes for the masses ? > > The firewall (FreeBSD 7.3) that I manage at work currently contains 36 > nat/rdr rules and 39 filter rules. It's responsible for passing > traffic between 4 different networks. After reading the OpenBSD pf > FAQ, the biggest advantage that I see of pf47+ is the ability to > combine related filter/nat/rdr rules, making the entire ruleset easier > to maintain. > > Personally, I would love to see the latest version of pf make it into > FreeBSD 9 or even one of the 8.x releases. Compatibility with existing > syntax is not as important to me as the ability to simplify my set of > rules. I can already tell you that this will most likely not happen. There is a lot of discussion (mostly private) going on and we'll see what the plan to move forward will be after 9.0. For 9.0 it will be pf45 + cherry picking + patches. The current ongoing work, based on Ermal's previous patches is in svn://svn.freebsd.org/base/projects/pf/pf45/ as of a couple of days and Ermal and I have been working on cleaning it up and finalizing it the last days. You can check that out (it's a HEAD from 2 days ago) which passes universe now. It needs more whitespace cleanup and a tiny bit here and there but is very good for testing! If you simply care about simplifying your ruleset, use a preprocossor but frankly with 36+39 entries I wouldn't even start pondering about simplification as that still fits on a single screen. Seriously, for most users modifying the ruleset when updating IS the worst that can happen, the same way two different versions of pfsync don't work together anymore, etc. The lessons learnt from breaking backward compantibility last time are still very present and though we cannot currently get it 100% right we try hard to do the best we can to not break again. Similar reasoning applies to 3rd party mgmt software that sits on top of the syntax in a UI, etc. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.