On 12/16/20 12:27 AM, Gert Doering wrote:
Hi, On Tue, Dec 15, 2020 at 10:40:46PM -0600, Hector wrote:I would be glad to enumerate some of the shortcomings of NPF, in a follow-up message, and why I consider it to be in some ways a regression from PF, if anyone is interested.I certainly am, especially which of the more advanced features of PF you use. (Now I am not a NetBSD developer, just an interested user) gert
One pf feature I use is anchors. You can read about those in pf.conf(5) if you are not familiar with them. It is very useful to be able to make on-the-fly adjustments to part of the ruleset without disturbing any other parts.
As far as I can tell, npf has nothing like that.I also have some tables which have thousands of subnet entries (sourced from the filesystem). pf handles these with no problems.
npfctl(8) says: "Reloading the configuration is a relatively expensive operation." Yes, it is, more expensive than you might guess.Trying to load a npf ruleset with tables of thousands of entries takes _minutes_. In one case I had with tens of thousands of lpm table entries, 'npf reload' chewed for almost 20 minutes (!!), and then crashed, leaving the filter in an inoperable state.