Hi, OpenVPN has a built-in packet filter, which has a couple of issues
- it is IPv4 only (though IPv6 patches existed at some point, but nobody
reviewed them, so they did not get merged)
- it can only be configured by a plugin or the management interface
(so actually *using* it is not very straightforward)
- it is not tested in any automated way today
- none of the core developers uses it, or knows any deployment where it
is used - so if we break it, we might not even notice
(this was actually what brought up the discussion today - if a plugin
returns OPENVPN_PLUGIN_FUNC_ERROR on OPENVPN_PLUGIN_ENABLE_PF, openvpn
will crash with a NULL pointer access...)
- not even OpenVPN AS, which usually uses "those interesting features that
nobody else knows about" uses PF (compiles with --disable-pf)
Based on this, we consider ripping all the PF stuff *out* of OpenVPN
for the 2.6 release ("hopefully later this year").
This is your chance to speak up and tell us "I use OpenVPN pf for this
totally cool thing, and there is no way to do this with the firewalling
layer the operating system provides, because..." :-)
So - surprise us!
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
