>> 	ftp://ftp.kame.net/pub/kame/misc/netbsd-pf-20030626.diff
>> 	has PF (openbsd packet filter) for netbsd-current as of today.
>> 
>> 	caveats:
>> 	- does not support (interface) syntax
>> 	- ip_off/ip_len endian flipping needs testing
>> 
>> 	my ultimate goal is to replace ipsec policy engine by PF tagging
>> 	(just like ALTQ integration to PF on openbsd).
>
>Great. I was about to ask a question about pf support in NetBSD.
>Is pf going to be part of NetBSD?

	i certainly hope so.

>I am using ipfilter now and I think it has some shortcommings.   
>I have no experience with pf yet, but its rules look more flexible.
>* Most of our rules are duplicated for IPv4 and IPv6. It looks
>  like pf tables can solve this.
>* We have Ethernet and gif external interfaces. On all those interfaces
>  we want almost the same firewall rules. It looks like this can be done
>  with interface lists.
> 
>The only thing missing for me is proper syslogging support. It looks like
>this is only possible with external scripts.

	pflog(8) provides that.

>BTW, is there a fundamental problem with interface syntax or is it just
>lack of time?

	just lack of time.  openbsd has hook_xx API, which is used to hook into
	IPv4 address addition/removal ioctls, and (interface) syntax uses it.
	we can either pull the hook_xx API, or do something different (like 
	go through in_ifaddr on every evaluation).

itojun