On Sun, Jan 22, 2012 at 12:26 AM, Greg Hennessy <greg.henne...@nviz.net>wrote:
> > > > > There is one catch. > > FreeBSD does not want to break compatibility of old syntax and that is > why > > i did not port the latest version of pf(4). > > Shades of the versioning/maintenance issues surrounding putting Perl in > the base way back in the day. > > > What is there now makes it 'trivial' to go to the latest pf(4) version in > > Does that include the performance improvements which came with new version? > Would be interesting to know what impact if any they would have on the > FreeBSD PF port. > > > Open but there needs to be a layer of translation > > for the old syntax to new syntax. > > As a one off translation when someone upgrades Major version numbers to > the FreeBSD version hosting the new PF code? > Or run every time when someone loads the security policy for now and the > foreseeable future? > > > That is the only reason its not been done. > > I can see the issues, hope it's not intractable. > The new syntax is a significant improvement, shame about lack of thought > given to backward compatibility. > > With your expert knowledge on this Ermal, is it possible to run both old > and new PF parsers in there to generate a policy which would run against > the newer packet filtering engine code? > Defaulting to the old syntax, with say something like a ' > later_pf_enable="yes"'' in rc.conf or a single 'use' line at the top of > pf.conf to switch to the new syntax? > > Its not that simple but workable with a policy definition of how what the translation layer does. > > Regards > > Greg > > > > > > -- Ermal _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
