Hi Claudio,

Claudio Jeker wrote on Mon, Apr 01, 2019 at 07:01:03AM +0200:

> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.

Wouldn't it cause less work to do the two planned next steps in the
opposite order?  I.e. remove the concept of packet routing first,
replacing it with bridge(4) as planned, for 6.6?  That would mean
an immediate huge gain in security because routing requires *lots*
of network daemons, and network daemons are notorious for being
attack targets.  Not to mention the benefits for net neutrality,
which appears to be a topic of growing concern, too.  And after
that switch, there would be much fewer missing features to implement
in bpf, then for 6.7.


Reply via email to