Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related
To: Christos Zoulas <>
From: Arto Selonen <>
List: netbsd-bugs
Date: 03/01/2005 17:50:44

On Tue, 1 Mar 2005, Christos Zoulas wrote:

> not that big, it is usually easy to fix in a few days. Of course we have the
> ipfs issue that we have not been able to get working reliably yet... But that
> is another story. For the most part now ipf imports fix things and have more
> fixes that regressions, so they are worth doing.

Well, ipfs is a low priority, nice to have type of an extension.
But ipfilter4 in NetBSD is still trying to get to where ipfilter3 was.
Many of version 4 features remain undocumented, and hence probably do not
get used much. So, most of the time is spent debugging "old" features
instead of the new ones (which would make ipf4 a real addition
and not just a buggy replacement). ipfs is not the only missing ipf3
feature; see eg. kern/29529 (and kern/27079 before that).

But as I told Martti Kuparinen a couple of months after the first
ipfilter4 import: I think it was the right decision, and with hindsight
one could argue that it should have been brought in even sooner.
I still think bringing ipfilter4 in was a good choice, and I still
eagerly wait for the day when I can start taking advantage of the new 
stuff. And as much as I've complained about the problems with it,
it has remained in use, always seeming to err on the safe side.
I don't think it has ever let any unauthorized traffic through, and there 
was only a brief period of time when it blocked UDP traffic that should
have gotten through (DNS), thus causing real, immediate problems.

I'm sure ipfilter upgrades are getting better and will fix more things 
than they break, even though I'm probably too biased at the moment to see 
it happen right now.

Still waiting for ~100 day uptime in a production gateway/firewall
running -current... :)

