netbsd-users: Re: pf version in 3.1

Subject: Re: pf version in 3.1
To: J.D. Bronson <jbronson-netbsd@sixcompanies.com>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-users
Date: 04/02/2007 18:04:02
On Mon, 2 Apr 2007, J.D. Bronson wrote:

> I setup a router via 3.1-MAINT today and noticed some of the commands I am
> used to using in pf are not understood.
> 
> What revision is pf within 3.1 (compared to maybe Openbsd?)
> and can it be updated or do I have to wait until 4.0 comes out?

NetBSD 3.0 includes PF 3.6 (PF from OpenBSD 3.6) plus some patches from 
the OPENBSD_3_6 branch.

I made the assumption (for book published) last summer that NetBSD 4.0 
includes PF from OpenBSD 3.7 with patches from the OPENBSD_3_7 branch.

It looks like 3.1 and 4.0 are mostly the same from a quick look.

The following is from the book (note that CARP and maybe other changes 
will be in 4.0):

Differences with OpenBSD

The usage of PF in NetBSD is basically the same as in OpenBSD, but
there are a few differences.  Most of them are missing features.

ALTQ is not supported by PF by default.  Enabling it in the kernel
will result in compilation errors.  You can only use ALTQ by using
PF as LKM and having ALTQ enabled in the kernel.  There's ongoing
work in NetBSD to make a decent ALTQ API and change PF to use that
API.  Footnote: See the ALTQ patches for NetBSD webpage at
http://nedbsd.nl/~ppostma/pf/altq.html.

pfsync(4) is not supported (due to protocol number assignment
issues).  This will hopefully be solved in a future release.

The carp(4) pseudo-device is not available in the default kernel.
It can be enabled as shown in the NetBSD kernel configuration above.
Or an alternative userland implementation, ucarp, can be installed
via pkgsrc for CARP.

The group keyword does nothing, because NetBSD doesn't keep the
GID in its socket structure.  This issue will probably be solved
in a future release.

Filtering on route labels is not working, NetBSD doesn't have labels
for routes.  It is unknown whether this will be supported in a
future release or not.

spamd is not provided with the default installation of NetBSD.  It
is available via pkgsrc (mail/spamd).  See chapter
\ref{cha:Limiting-spam-with} for more information about spamd.

> PS. any ballpark date on 4.0?

The status is at http://www.netbsd.org/releng/releng-4.html.
It is incomplete though.


  Jeremy C. Reed