tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Experiments with npf on -current

On 23 November 2011 07:56, Matthew Mondor <> 
> On Tue, 22 Nov 2011 22:55:09 -0600 (CST)
> "Jeremy C. Reed" <> wrote:
>> We should strive for a higher standard. We should encourage and maybe
>> better require that we provide unit tests and/or behaviour tests with
>> commits too.  (Was there ever a public core announcement about when code
>> is added or bug fixed, that the developer should consider adding ATF
>> tests or regression tests for it?) (I'd like to extend this to include
>> security audit tests as applicable, documentation requirements, and peer
>> review requirements too.)
>> We should suggest and even force that code known to be broken to be
>> reverted. (Well I think this is already true, but not happening?) (It
>> will be easier when we have a better revision control so many can work
>> easier on branches.)
> While I agree with most of what you said on a technical level,
> unfortunately one must also come to the evidence that NetBSD
> maintainers are volunteers with limited time and resources :(
> So between the ideal and the practice, it's normal if a gap exists...
> That said, I find that the NetBSD code base in general is of a high
> quality, and the review process which I often see happening on mailing
> lists, while sometimes tedious, tends to help a lot.
> As for ipfilter vs npf, npf is known to be in development by most of
> us, I think; and ipfilter (or sometimes pf) are still being used on
> production systems by many where reliability is important and existing
> firewall scripts are maintained and relied-upon (I currently use
> netbsd-5 and ipfilter myself).  This doesn't mean that an alternative
> cannot be in development, incomplete or unstable (especially on an OS
> also known to be good for research, such as NetBSD)...

I think its fine for there to be experimental features in - current -
specifically features which have not yet been in any formal release.

In this case I think a note in the manpage, or a stderr message from
npfctl to alert users might have been helpful...

Home | Main Index | Thread Index | Old Index