Subject: Re: PF for netbsd
To: None <itojun@iijlab.net>
From: Ronald van der Pol <Ronald.vanderPol@rvdp.org>
List: tech-net
Date: 06/26/2003 16:42:45
On Thu, Jun 26, 2003 at 19:09:02 +0900, itojun@iijlab.net wrote:
> ftp://ftp.kame.net/pub/kame/misc/netbsd-pf-20030626.diff
> has PF (openbsd packet filter) for netbsd-current as of today.
>
> caveats:
> - does not support (interface) syntax
> - ip_off/ip_len endian flipping needs testing
>
> my ultimate goal is to replace ipsec policy engine by PF tagging
> (just like ALTQ integration to PF on openbsd).
Great. I was about to ask a question about pf support in NetBSD.
Is pf going to be part of NetBSD?
I am using ipfilter now and I think it has some shortcommings.
I have no experience with pf yet, but its rules look more flexible.
* Most of our rules are duplicated for IPv4 and IPv6. It looks
like pf tables can solve this.
* We have Ethernet and gif external interfaces. On all those interfaces
we want almost the same firewall rules. It looks like this can be done
with interface lists.
The only thing missing for me is proper syslogging support. It looks like
this is only possible with external scripts.
BTW, is there a fundamental problem with interface syntax or is it just
lack of time?
rvdp