On Jan 31, 2019, at 11:12 AM, mark <m.roth at 5-cent.us> wrote:> > Why would *ANYONE* think that everyone should just start from scratch, > taking all the time in the world to get it converted?If the conversion were simple enough to be easily automated, the new system is probably no more than just a syntactic difference away from the old, and thus does not provide any interesting new functionality or change in existing functionality. It?s much the same as asking why there aren?t automatic programming language conversion tools: we wouldn?t need more than one programming language if they all mapped 1:1 to each other, short of going down to the machine code level and back up the technology stack. Pretty much all the other major competing OSes have had at least one incompatible shift in their firewall implementations over the years, even that supposed bastion of ultimate stability, FreeBSD. I take that as a sign that those designing firewall schemes in the early 1990s didn?t have magical levels of foresight when doing their work, so that replacements had to be incompatible to provide the functionality we now expect.
Warren Young wrote:> On Jan 31, 2019, at 11:12 AM, mark <m.roth at 5-cent.us> wrote: >> >> Why would *ANYONE* think that everyone should just start from scratch, >> taking all the time in the world to get it converted? > > If the conversion were simple enough to be easily automated, the new > system is probably no more than just a syntactic difference away from the > old, and thus does not provide any interesting new functionality or > change in existing functionality.Note that I spoke with my manager about using zones, and his opinion is they're crap - ok for one box, but not for the firewall usage I'm working on.> > It?s much the same as asking why there aren?t automatic programming > language conversion tools: we wouldn?t need more than one programming > language if they all mapped 1:1 to each other, short of going down to the > machine code level and back up the technology stack.You mean like the one I meant to use 25 or so years ago, basic2c? You let them do the mass conversion, then you fix it. A lot faster than rewriting *everything*. Unless you're talking about a program that converts from, say, C, to lisp.... <snip> mark ))))))))))))))))))))))))))))))))))
On Thu, 31 Jan 2019 at 17:43, mark <m.roth at 5-cent.us> wrote:> Warren Young wrote: > > > It?s much the same as asking why there aren?t automatic programming > > language conversion tools: we wouldn?t need more than one programming > > language if they all mapped 1:1 to each other, short of going down to the > > machine code level and back up the technology stack. > > You mean like the one I meant to use 25 or so years ago, basic2c? You let > them do the mass conversion, then you fix it. A lot faster than rewriting > *everything*. > >Then 2 years later you have to figure out why some obscure thing is happening, can't read the converted code and just rewrite it all from scratch. [having been on that one for various programs converted via Fortran2C, Forth2C, Basic2C, and Prolog2C.] Yes it is good to do a simple job but if you are doing something complicated which it sounds like your firewall rules are doing.. then you need to just learn the new tool and use it OR keep using what you have with the iptables.services until it is EOL.> Unless you're talking about a program that converts from, say, C, to > lisp.... >-- Stephen J Smoogen.
On Jan 31, 2019, at 3:25 PM, mark <m.roth at 5-cent.us> wrote:> > Warren Young wrote: >> >> ...there aren?t automatic programming >> language conversion tools... > > You mean like the one I meant to use 25 or so years ago, basic2c?All right, so it?s a bad example, but it?s bad both directions. The problem of firewall rule conversion isn?t about protecting billions of dollars of investment in development by moving from a disfavored, underpowered programming language to a faster, better, and rising language. The economic incentive for a firewall rule conversion tool is much smaller. I don?t think it?s entirely uneconomic to solve this problem. I see two plausible options: 1. Find everyone who has this problem, have them all chip in $1-5, and you?ll probably have enough to pay for the development of a tool at least as faithful as that BASIC to C translator you mentioned. We?ve got the crowdfunding platforms to make this possible. 2. Find a single organization that?s got this problem badly enough that they?re willing to fund the development of this tool from their internal IT/development budget. You might stretch it to two organizations resulting in a pair of collaborating developers, but beyond that, you?ve got too many cooks in the kitchen for the size of the problem, so you go to #1. If you?re like me, both look like hard solutions, which is probably a better answer to your question than my language translator attempt.