Re: Removing PF

To: tech-kern%netbsd.org@localhost
Subject: Re: Removing PF
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Thu, 4 Apr 2019 19:51:14 +0000

Core decided a while ago that npf is the way forward and pf and ipf
will be deprecated and removed at some point.  It is not worth the
effort to try to update pf or ipf.  We are not removing pf or ipf
immediately but they will certainly be deprecated in netbsd-9 so they
can be gone in netbsd-10.

We are aware that npf is not at feature and documentation parity with
pf and ipf in NetBSD.  We're pursuing a funded project to remedy this
so that everyone will have a migration path for pf and npf.  If you
support this, please donate to The NetBSD Foundation!

There's a couple of task lists maintained here:

src/doc/TODO.npf
https://www.NetBSD.org/~rmind/npf/__tasklist.html

There's also extended documentation, beyond the man pages, here:

https://rmind.github.io/npf/

I read through this thread, and what I've gathered that people are
missing so far or find to be not documented clearly enough is:

- mss clamping (Brian Buhrow)
- ftp-proxy (Jan Danielsson)
- pf route-through/reply-to (Brian Buhrow)
- ipf groups (Manuel Bouyer)
- dynamic NAT updates
- pf netifN:0, netifN:network notation (John D. Baker)
- dynamic ifaddrs(netifN) (John D. Baker)
- address subset selection (John D. Baker)
- pf synproxy state (John D. Baker)
- BRIDGE_IPF (Piotr Meyer)
- ipf migration path (manu)
- https://gnats.netbsd.org/53199 (Patrick Welche)
- altq (Thor Lancelot Simon)
- port redirection (MLH)
- greylisting integration (MLH)
- equivalent of `log followers' (MLH)

Some of this may overlap with what's already in the task lists -- I
didn't deduplicate them.  It would be helpful if we had a clear
statement of what each of these items is, with:

1. a one-line summary
2. a small diagram of network topology
3. a description of the desired behaviour
4. an example configuration file in hypothetical notation
5. a sketch of an example packet trace
6. references to relevant standards

This would make it much easier for us to confidently address the
shortcomings and write automatic tests for them, and/or update the
documentation to make it clearer how to do these.  If you can send
these to me, that would help us to organize a project to get npf in a
position to replace pf and ipf for everyone as soon as possible.

Thanks,
-Riastradh, NetBSD Core Team

Follow-Ups:
- Re: Removing PF
  - From: Mindaugas Rasiukevicius

References:
- Removing PF
  - From: Maxime Villard

Prev by Date: Re: Removing PF
Next by Date: Re: Removing PF
Previous by Thread: Re: Removing PF
Next by Thread: Re: Removing PF
Indexes:

Home | Main Index | Thread Index | Old Index