Re: Removing PF

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 30/03/2019 à 11:06, Manuel Bouyer a écrit :
> On Sat, Mar 30, 2019 at 06:07:01AM +0100, Maxime Villard wrote:
> > [...]
> > If the effort hadn't been split on three firewalls in the last 10 years, but
> > rather had been focused on only one, don't you think NPF would now be
> > featureful?
>
> Exactly. If work had been done to improve ipf instead of reinventing the
> wheel, ipf would probably be in much better shaoe now.

Well, you're not wrong, but there were also many good reasons for developing a
firewall from scratch, and NPF is now used in commercial products, while IPF
is being dropped by commercial products. NPF is not a failure.

> I'm still using ipf because npf miss the features I need (essentialy
> groups). Each time I mentioned this, no comments on this topic were made.

This is one of the reasons why we keep IPF for now, to wait for NPF to reach
feature-parity. This point hasn't been ignored.

But this thread is about PF, not IPF, and was prompted by the two recent PF
vulns that were not fixed in NetBSD by anyone.

I'm talking about the current state of affairs, and how to move forward. The
current state of affairs is that PF is in a deplorable state compared to NPF,
which "only" lacks a few features.

The argument made about "ftp-proxy", while understandable, does remain highly
questionable. PF hasn't received any security updates in NetBSD, so do people
really wish to still use it for ftp-proxy? It seems silly to use an outdated
firewall, because it creates more security holes than it plugs. Firewalls are
not supposed to be inflammable.

Please do not confuse, this thread is about PF, not IPF. I believe we can
easily resolve the ftp-proxy support issue on NPF.