Subject: Re: why no pfsync in NetBSD?
To: Tobias Nygren <>
From: Daniel Carosone <>
List: current-users
Date: 04/20/2007 10:05:18
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Apr 20, 2007 at 01:41:58AM +0200, Tobias Nygren wrote:
> pfsync(4) uses a rouge IP protocol number not formally assigned to it.
> This is a problem for an OS that wants to be standards-conformant.
> Also, there's no real reason why the pfsync(4) protocol can't be
> encapsulated in udp(4), is there? This shouldn't be impossible to
> implement, but we can't interoperate with the other BSDs if this
> route is taken.

political positioning aside, is it even meaninful to talk about
'interoperability' in this regard?  In other words, can there be any
meaningful state synchronisation between pf instances on a firewall
cluster where one member is netbsd and the other member is freebsd (or
whatever combination)?

I could *maybe* see this for CARP for basic router service, but not
for pf state.  So I'm not sure the 'interoperability' argument is
anything but a red herring.

On the other hand, if such heterogenous sync is possible and an
explicit goal (including protocol version stability, etc) then the pf
guys have achieved a rather more tasty herring than I expected.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.7 (NetBSD)