On 16/12/2020 17:02, Hector wrote:
On 12/16/20 12:27 AM, Gert Doering wrote:Hi, On Tue, Dec 15, 2020 at 10:40:46PM -0600, Hector wrote:I would be glad to enumerate some of the shortcomings of NPF, in a follow-up message, and why I consider it to be in some ways a regression from PF, if anyone is interested.I certainly am, especially which of the more advanced features of PF you use. (Now I am not a NetBSD developer, just an interested user) gertOne pf feature I use is anchors. You can read about those in pf.conf(5) if you are not familiar with them. It is very useful to be able to make on-the-fly adjustments to part of the ruleset without disturbing any other parts.
> As far as I can tell, npf has nothing like that. >Based on that description npf has that and its called a ruleset. Inside my external group I have:
ruleset "blacklistd"
I can then add and remove dynamic rules from that ruleset (or rather
blacklistd does on my behalf) without impacting any other part of the
rules by doing:
npfctl rule blacklistd add ... and npfctl rule blacklistd remove ... Is that what you meant?
Trying to load a npf ruleset with tables of thousands of entries takes _minutes_. In one case I had with tens of thousands of lpm table entries, 'npf reload' chewed for almost 20 minutes (!!), and then crashed, leaving the filter in an inoperable state.That sounds like a nasty bug. I wonder if its trying to bpfjit the whole lot and blowing up? Not using table support so its not something I would have run into.
I admit I'm at the more complex end of the soho setup level with a /29 of IPv6 and a /64 of routed IPv6.
Haven't run into performance or stability issues though on 8.x or 9.1 and like you I was wary of making the switch to it (from IPF in my case).
Mike