On Tue, Mar 18, 2008 at 10:11:24AM -0700, patrick keshishian wrote:
> I am questioning whether it makes sense to introduce such changes
> into the kernel and pf just to solve such a specific use-case. I
> would argue that it probably does not make all that much sense to
> introduce so many changes into the kernel, complicated the code
> with respect to maintenance, readability and security for the
> benefit of a very small use-case issue.

Are you talking about Girish's implementation or Ermal's?
Because Girish's implementation tries to put as little code into
the kernel as possible...

> > As always OpenBSD should do things in the best manner possible.
> > Always place correctness and perfection before anything else.

IMHO "correctness and perfection" does not equal "can't be used to
do NAT at large conferences where multiple attendees might want to
use pptp." Rather, it means "can be used to do NAT at large conferences
where multiple attendees might want to use pptp and still uses a clever
way of doing so."

You might as well dismiss pf's ability to do NAT altogether because
NAT is an imperfect short-term workaround for IPv4 address space
shortage, and instead tell people to finally switch to IPv6 already
because this is the more correct and elegant solution. You would be
right, but in reality NAT and pptp are in widespread use and therefore
OpenBSD benefits from supporting them both because it makes it yet a bit
more applicable to real-world scenarios.

--
stefan
http://stsp.name PGP Key: 0xF59D25F0

[demime 1.01d removed an attachment of type application/pgp-signature]