On Mon, 1 Apr 2019, Johnny Billquist wrote:
On 2019-04-01 15:16, Emmanuel Dreyfus wrote:On Sat, 30 Mar 2019, Maxime Villard wrote: 2) If the effort had been on one firewall instead of three, the one chosen would be more functional.Well, I cannot tell for PF, but IPF is functionnal, I use it a lot and I am not alone It may have bugs, but if you really have to remove it, please make sure there is an easy migration path.Yeah. I happen to use ipf as well.Anecdotal it would appear that npf might be the least tested or used option...
Until the proplib transfer size was increased, I found any attempts to migrate real-world rulesets from ipf to npf hit were unsuccessful because the rulesets were too large to load (this is compounded by the way state is handled). Therefore, unless developers had private proplib patches, npf cannot have been tested with even moderate-sized rulesets. Of course, it could be argued that as long as you have tested all the functionality being used by those rulesets, you should be able to safely assume it will scale.
-- Stephen