From owner-freebsd-current@FreeBSD.ORG Wed Jul 23 19:33:36 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADE64638; Wed, 23 Jul 2014 19:33:36 +0000 (UTC) Received: from smtp-out-05.shaw.ca (smtp-out-05.shaw.ca [64.59.134.13]) by mx1.freebsd.org (Postfix) with ESMTP id 694472182; Wed, 23 Jul 2014 19:33:36 +0000 (UTC) X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=/MiPqmMwFv6ha2ZBybe0ZU9m+O5sXPp7gEUgHVyRzyY= c=1 sm=1 a=cQ5pcHtl6RgA:10 a=QrugwKR0C_UA:10 a=wAGQQ9Az6v0A:10 a=BLceEmwcHowA:10 a=ICAaq7hcmGcA:10 a=kj9zAlcOel0A:10 a=IbtKDeXwb2+SRU442/pi3A==:17 a=5o0Kwa6bAAAA:8 a=pGLkceISAAAA:8 a=6I5d2MoRAAAA:8 a=BWvPGDcYAAAA:8 a=lYoFMBppS0s2PdiZhjwA:9 a=CjuIK1q_8ugA:10 a=fgf5PR_cwQYA:10 a=MSl-tDqOz04A:10 a=SV7veod9ZcQA:10 a=V7tsTZBp22UA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO spqr.komquats.com) ([96.50.7.119]) by smtp-out-05.shaw.ca with ESMTP; 23 Jul 2014 13:33:34 -0600 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTP id 7317E9BED; Wed, 23 Jul 2014 12:33:34 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.14.9/8.14.9) with ESMTP id s6NFh82X025373; Wed, 23 Jul 2014 08:43:08 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.14.9/8.14.8/Submit) with ESMTP id s6NFgX4M025370; Wed, 23 Jul 2014 08:42:48 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <201407231542.s6NFgX4M025370@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Peter Wemm Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: Message from Peter Wemm of "Sat, 19 Jul 2014 19:59:23 -0700." <20381608.Hhy3QfhrOP@overcee.wemm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 23 Jul 2014 08:42:23 -0700 Cc: Baptiste Daroussin , freebsd-current@freebsd.org, Allan Jude X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2014 19:33:36 -0000 In message <20381608.Hhy3QfhrOP@overcee.wemm.org>, Peter Wemm writes: > On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote: > > On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: > > > On 2014-07-18 15:07, Adrian Chadd wrote: > > > > On 18 July 2014 07:34, krad wrote: > > > >> that is true and I have not problem using man pages, however tha= > ts not > > > >> the > > > >> way most of the world work and search engines arent exactly new = > either. > > > >> We > > > >> should be trying to engage more people not less, and part of tha= > t is > > > >> reaching out. > > > >=20 > > > > Then do the port and maintain it. > > > >=20 > > > > The problem isn't the desire to keep things up to date, it's a la= > ck of > > > > people who want that _and_ are willing/able to do it _and_ are fu= > nded > > > > somehow. > > > >=20 > > > > So, please step up! We'll all love you for it. > > > >=20 > > > >=20 > > > >=20 > > > > -a > > > > _______________________________________________ > > > > freebsd-current@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > > > To unsubscribe, send any mail to > > > > "freebsd-current-unsubscribe@freebsd.org" > > >=20 > > > At vBSDCon Bapt@ volunteered to port the newer pf back to FreeBSD, = > after > > > spending some hours driving with Henning. > >=20 > > I tried and broke pf for month and my changes have been reverted, thi= > s is > > not as simple as it looks like, our code as diverge a lot in some par= > t and > > we do support things that openbsd does not (vimage). Sync features re= > quires > > us to be very careful, my priorities went elsewhere since that time, = > so now > > I will probably only focus on bringing features I care about, and not= > the > > entirely new pf. > >=20 > > So no do not count me as volunteer to maintain pf, I ll probably do s= > ome > > work but not a full sync. > > If anyone is looking for a really useful chunk to work on, please go ba= > ck over=20 > the pf history in openbsd and find where they added ipv6 fragment suppo= > rt. It=20 > was fairly well contained and didn't appear to be a big deal to port. = > They=20 > did do something with mbuf tags that I'm suspicious of though. > > IPv6 fragments are the biggest pain point we have on the freebsd.org cl= > uster -=20 > yes, we use pf and IPv6 extensively, but dns with ipv6 involved is real= > ly=20 > painful without fragment support. > > We sort-of work around it by using dedicated IPv6 address that has noth= > ing but=20 > the dns resolver clients and allow ipv6 fragments to it. Its not idea= > l but=20 > it gets over the worst problems. > > The other thing we had to do for usability is stop state tracking for u= > dp dns=20 > =2D the sheer update rate was causing collisions and state drops / resets= > of=20 > other connections to the point of being really hard to use. > > Those two tweaks - stopping heavy dns use from thrashing the state tabl= > es, and=20 > having a safe place to send fragments makes it quite usable for freebsd= > .org. > > But, lack of ipv6 fragment processing still causes ongoing pain. That'= > s our=20 > #1 wish list item for the cluster. Taking this discussion slightly sideways but touching on this thread a little, each of our packet filters will need nat66 support too. Pf doesn't support it for sure. I've been told that ipfw may and I suspect ipfilter doesn't as it was on Darren's todo list from 2009. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.