Hi Claudio, Claudio Jeker wrote on Mon, Apr 01, 2019 at 07:01:03AM +0200:
> There have been internal discussions about OpenBSD also removing the pf > packet filter after the upcoming 6.5 release. Instead a switch to > using David Gwynne's new bpf filter will happen. > The benefits outweigh the drawbacks and the missing features will be > readily implemented in time for the 6.6 release. Wouldn't it cause less work to do the two planned next steps in the opposite order? I.e. remove the concept of packet routing first, replacing it with bridge(4) as planned, for 6.6? That would mean an immediate huge gain in security because routing requires *lots* of network daemons, and network daemons are notorious for being attack targets. Not to mention the benefits for net neutrality, which appears to be a topic of growing concern, too. And after that switch, there would be much fewer missing features to implement in bpf, then for 6.7. Yours, Ingo