What's everyone's experience with modern PF in production? Also, not to start a holy war, but what people think about modern PF vs nftables? I've only ever used nftables (and only in fairly simple scenarios) but I've always been curious about the PF side of the world.

▲ accrual 3 minutes ago | parent | next [-]

I manage a pf.conf with about 400 rules across a dozen VLANs, I find it intuitive and even enjoyable to work on. It feels kinda like editing source code - there are some host, network, and port declarations at the top, a section for NAT and egress, then a section for each VLAN that contains the pass in/pass out rules.

I tail the pflog0 interface in a tmux session so I can keep an eye on pass/block, and keep a handy function in my profile to make it easy to edit the ruleset and reload:

    function pfedit {
            doas vi /etc/pf.conf && \
            doas pfctl -f /etc/pf.conf && \
            { c=`doas pfctl -s rules | wc -l | tr -d ' '`; printf 'loaded %s rules\n' "$c"; }
    }

▲ mono442 3 hours ago | parent | prev [-]

It's slower than nftables.

▲

touisteur 2 hours ago | parent | next [-]

Not to ask anyone for free work but any write-up on this, I'd love to read.

	▲	flipped 2 hours ago \| parent [-]
		https://toni.cunyat.net/2019/11/nftables-vs-pf-ipv4-filterin.... According to this article, it depends on usecase.

▲

2 hours ago | parent | prev [-]

[deleted]