Re: pf(4) status in 7.0-R

Max Laier wrote:
> [ moving this to the more specific list ]
> 
> On Friday 01 June 2007, LI Xin wrote:
> > Stanislaw Halik wrote:
> > > Heya,
> > >
> > > Are there any plans to sync pf(4) before 7.0-R? OpenBSD has some neat
> > > stuff in it, including expiretable functionality, which would come in
> > > handy.
> >
> > Last time I have talked with Max (Cc'ed) about the issue, we finally
> > figured out that porting the whole stuff would need some
> > infrastructural changes to our routing code, which could be risky so we
> > wanted to avoid it at this stage (about 15 days before RELENG_7 code
> > freeze).  On the other hand, some functionality (like the expiretable
> > feature) does not seem to touch a large part of kernel and might be
> > appropriate
> > RELENG_7(_0) candidate.
> >
> > Could you please enumerate some features that FreeBSD is currently lack
> > of and are considered "high priority" so we will be able to evaluate
> > whether to port?
> >
> > BTW.  Patches are always welcome, as usual :-)  So don't hesitate to
> > submit if you already did some work.
> 
> ditto.  I'd like to import a couple of features on a per-feature base 
> rather than doing a complete import which isn't possible anymore due to 
> SMP and routing code changes.
> 
> Submit your list of features and I'll see what I can do this weekend.  My 
> list includes:
> 
> - keep state and flags S/SA to default
> - improved state table purgeing (this is internal, but a huge benefit)
> - interface handling (groups etc.)
> - pfsync / pflog update (not 100% sure about these due to libpcap / 
> tcpdump dependency)
> 
> While at it, I might also introduce needed ABI breakage for netgraph 
> interaction.
> 
> Anything else?
> 

The updated ftp-proxy - the one in the tree does not rewrite source IP
address of data connections and some firewalls (e.g. Windows Firewall)
don't let the connection through. It should be pretty easy to import -
the program it already in some form in the ports tree.

Michal