From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 03:15:15 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 219FA7C for ; Thu, 18 Dec 2014 03:15:15 +0000 (UTC) Received: from mail-ob0-f176.google.com (mail-ob0-f176.google.com [209.85.214.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DC480FE2 for ; Thu, 18 Dec 2014 03:15:14 +0000 (UTC) Received: by mail-ob0-f176.google.com with SMTP id vb8so896460obc.7 for ; Wed, 17 Dec 2014 19:15:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=kEDvCjoyBmXWAXXhapOgt2jzTfqqi1Aq1frdqQpSqGg=; b=MT0z7TkeHcXEuHl3faPT1dQGlFBG3RgrtOnyLexcFjezptilIPhpnjYwVjVTTDSKB6 6dkKfhnVSSIh3wex/a2JK+7KbMUGSj3ydmH9IduZmrh0VBEwV1vH4WNV+kenLmMjHPsg Z40UzxrR3FASDzNruVWDU3Qjbp/IZFfwCKr6OwKiwZiUmuwDI6ZJ7rbxpJnBia0ty126 68o216GmMB6hasj1LAoOHu9sgTuShB5JePpUtS2E73VHAF/Mu8j7RafFIsKVNhoxtnAa i8KzP4+4C6KcEuK8Cg6xzm794BzMTXbU5mXPoAlf6fv4utXGPDvlZToB63TG6P/RkaD5 rNkg== X-Gm-Message-State: ALoCoQmVjdB0BJVE69A5ueXsHP2fN3ufWDn3/XPxmBcvpB9MKm7cqZyqYdG8ssWigrIRkl+fsh0A X-Received: by 10.60.102.211 with SMTP id fq19mr28834328oeb.2.1418872513717; Wed, 17 Dec 2014 19:15:13 -0800 (PST) Received: from [172.21.0.83] (65-36-83-120.static.grandenetworks.net. [65.36.83.120]) by mx.google.com with ESMTPSA id s10sm2640899oeo.3.2014.12.17.19.15.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 19:15:13 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: Alternative to pf? From: Jim Thompson X-Mailer: iPhone Mail (12B440) In-Reply-To: <20141217235636.3c607e57@Papi> Date: Wed, 17 Dec 2014 21:15:11 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141217225457.64c16404@Papi> <55B84D9D-B376-4EFF-8998-723A62AF5D6A@netgate.com> <20141217235636.3c607e57@Papi> To: Mario Lobo Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 03:15:15 -0000 > On Dec 17, 2014, at 8:56 PM, Mario Lobo wrote: >=20 > On Wed, 17 Dec 2014 20:05:10 -0600 > Jim Thompson wrote: >=20 >>=20 >>> On Dec 17, 2014, at 7:54 PM, Mario Lobo wrote: >>>=20 >>> On Thu, 18 Dec 2014 00:43:59 +0100 >>> Daniel Engberg wrote: >>>=20 >>>> Hi, >>>>=20 >>>> During the year there has been several discussions regarding the >>>> state of pf in FreeBSD. In most cases it seems to boil down to that >>>> it's too hard/time-consuming to bring upstream patches from OpenBSD >>>> to FreeBSD. As it's been mentioned Apple seems to update pf >>>> somewhat (copyright is changed to 2013 at least) and file size >>>> differs between OS X releases but I wasn't able to find any commit >>>> logs. >>>>=20 >>>> That said, NetBSD have something similar to pf in syntax called >>>> npf which seems actively maintained and the author seems open to >>>> the idea of porting it to FreeBSD. >>>> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >>>> However I'm not certain that it surpasses our current pf in terms >>>> of functionality in all cases (apart from the firewalling ALTQ >>>> comes to mind etc). >>>> Perhaps this might be worth looking into and in the end drop pf due >>>> to the reasons above? >>>>=20 >>>> That said, don't forget all the work that has gone into getting pf >>>> where it is today. >>>> While I'm at it, does anyone else than me use ALTQ? While it's not=20 >>>> multithreaded I find a very good "tool" and it does shaping really >>>> well. >>>>=20 >>>> Best regards, >>>> Daniel >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to >>>> "freebsd-pf-unsubscribe@freebsd.org" >>>=20 >>>=20 >>> I think that just pf and ipfw would be more than "enough" for FBSD. >>> I have used both but I'm more comfortable with pf's configuration >>> than with ipfw. I have even tested ipfw filtering together with pf >>> altq. I totally rely on pf's ALTQ at production simply because it >>> works perfectly, no matter how complex the setup. Been using it for >>> years now. >>=20 >> Even with the SMP in 10, pf is as slow as molasses in January, and >> 10G interfaces are a thing now. >>=20 >> (Someone is sure to cry, =E2=80=9Cbut I can fill a 10G interface in front= of >> pf!=E2=80=9D. Yes, with max-sized packets. Try it with 256 byte (or 64 b= yte) >> packets. Yup. >>=20 >> Moreover, pf is has fundamental limitations (last match). =20 >>=20 >>> =46rom what I have read, there are quite a few changes in openbsd pf, >>> specially as far syntax is concerned. I'm just a user so I can only >>> imagine the hard work involved in porting it but running the risk of >>> making a lame comment, I would be completely satisfied if only 2 >>> things could be implemented: SMP and fix the ALTQ limitation "bug=E2=80=9D= . >>=20 >> FreeBSD already has SMP, and I don=E2=80=99t know what you might be refer= ring >> to as =E2=80=9CALTQ limitation =E2=80=98bug=E2=80=99=E2=80=9D. >>=20 >> Are you saying you=E2=80=99d be =E2=80=9Ccompletely satisfied=E2=80=9D if= you had SMP support >> with OpenBSD or a port of OpenBSD=E2=80=99s pf to FreeBSD, or something e= lse? >=20 > You're right! But I am very conservative when dealing with production > servers and your observation that "Even with the SMP in 10, pf is as > slow as molasses" is one of the reasons why I'm still with a fast > stable/8 pf, No, you seem to have (deliberately?) misinterpreted me.=20 The pf in 8 is even slower. A lot slower.=20 > plus the links we use are not even close to 10G, So, "not my problem".=20 pf won't even fill a 1Gb link with min-sized packets.=20 > so an SMP pf patch that could be applied on 8 wouldn't be bad at all Nobody in their right mind (who doesn't have a 8 figure engineering budget) i= s working on 8.=20 > Like I said, it has been working flawlessly for us since day one. >=20 > Yeah, I know ... I'll have to upgrade sometime but not before checking > if everything works on 10 EXACTLY (and I mean EXACTLY) as it is working > on 8 right now, SMP or not. >=20 > I can't speak about the nuts and bolts of pf's inside engine but as for > the tweaks I can see and manage or its config syntax, yes I am satisfied > and i must confess that I wouldn't be thrilled to change my pf.conf to > a different layout and pray that it works exactly the same way. This is the largest reason that the openBSD pf wasn't brought forward.=20 In other words: you can't have both X and !X.=20 > As for the "bug" I was referring to: >=20 > http://marc.info/?l=3Dfreebsd-pf&m=3D137359958238507&w=3D2 >=20 > It doesn't concern me in the practical sense because we're the little > guys with modest small links to the internet but concerns me as > faithful user and admirer of FreeBSD that always wants to see it top > notch no matter what conditions it is subjected to.=20 It's fixed in pfSense.=20 >=20 > --=20 > Mario Lobo > http://www.mallavoodoo.com.br > FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) >=20 > "UNIX was not designed to stop you from doing stupid things,=20 > because that would also stop you from doing clever things."