Core decided a while ago that npf is the way forward and pf and ipf will be deprecated and removed at some point. It is not worth the effort to try to update pf or ipf. We are not removing pf or ipf immediately but they will certainly be deprecated in netbsd-9 so they can be gone in netbsd-10.
We are aware that npf is not at feature and documentation parity with pf and ipf in NetBSD. We're pursuing a funded project to remedy this so that everyone will have a migration path for pf and npf. If you support this, please donate to The NetBSD Foundation! There's a couple of task lists maintained here: src/doc/TODO.npf https://www.NetBSD.org/~rmind/npf/__tasklist.html There's also extended documentation, beyond the man pages, here: https://rmind.github.io/npf/ I read through this thread, and what I've gathered that people are missing so far or find to be not documented clearly enough is: - mss clamping (Brian Buhrow) - ftp-proxy (Jan Danielsson) - pf route-through/reply-to (Brian Buhrow) - ipf groups (Manuel Bouyer) - dynamic NAT updates - pf netifN:0, netifN:network notation (John D. Baker) - dynamic ifaddrs(netifN) (John D. Baker) - address subset selection (John D. Baker) - pf synproxy state (John D. Baker) - BRIDGE_IPF (Piotr Meyer) - ipf migration path (manu) - https://gnats.netbsd.org/53199 (Patrick Welche) - altq (Thor Lancelot Simon) - port redirection (MLH) - greylisting integration (MLH) - equivalent of `log followers' (MLH) Some of this may overlap with what's already in the task lists -- I didn't deduplicate them. It would be helpful if we had a clear statement of what each of these items is, with: 1. a one-line summary 2. a small diagram of network topology 3. a description of the desired behaviour 4. an example configuration file in hypothetical notation 5. a sketch of an example packet trace 6. references to relevant standards This would make it much easier for us to confidently address the shortcomings and write automatic tests for them, and/or update the documentation to make it clearer how to do these. If you can send these to me, that would help us to organize a project to get npf in a position to replace pf and ipf for everyone as soon as possible. Thanks, -Riastradh, NetBSD Core Team
