Date: Sat, 19 Jul 2014 19:59:23 -0700 From: Peter Wemm <peter@wemm.org> To: freebsd-current@freebsd.org Cc: Baptiste Daroussin <bapt@freebsd.org>, Allan Jude <allanjude@freebsd.org> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <20381608.Hhy3QfhrOP@overcee.wemm.org> In-Reply-To: <20140719110652.GR28314@ivaldir.etoilebsd.net> References: <53C706C9.6090506@com.jkkn.dk> <53C973EA.5090104@freebsd.org> <20140719110652.GR28314@ivaldir.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3427830.U7ikdp9xGS Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote: > On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: > > On 2014-07-18 15:07, Adrian Chadd wrote: > > > On 18 July 2014 07:34, krad <kraduk@gmail.com> wrote: > > >> that is true and I have not problem using man pages, however tha= ts not > > >> the > > >> way most of the world work and search engines arent exactly new = either. > > >> We > > >> should be trying to engage more people not less, and part of tha= t is > > >> reaching out. > > >=20 > > > Then do the port and maintain it. > > >=20 > > > The problem isn't the desire to keep things up to date, it's a la= ck of > > > people who want that _and_ are willing/able to do it _and_ are fu= nded > > > somehow. > > >=20 > > > So, please step up! We'll all love you for it. > > >=20 > > >=20 > > >=20 > > > -a > > > _______________________________________________ > > > freebsd-current@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > > To unsubscribe, send any mail to > > > "freebsd-current-unsubscribe@freebsd.org" > >=20 > > At vBSDCon Bapt@ volunteered to port the newer pf back to FreeBSD, = after > > spending some hours driving with Henning. >=20 > I tried and broke pf for month and my changes have been reverted, thi= s is > not as simple as it looks like, our code as diverge a lot in some par= t and > we do support things that openbsd does not (vimage). Sync features re= quires > us to be very careful, my priorities went elsewhere since that time, = so now > I will probably only focus on bringing features I care about, and not= the > entirely new pf. >=20 > So no do not count me as volunteer to maintain pf, I ll probably do s= ome > work but not a full sync. If anyone is looking for a really useful chunk to work on, please go ba= ck over=20 the pf history in openbsd and find where they added ipv6 fragment suppo= rt. It=20 was fairly well contained and didn't appear to be a big deal to port. = They=20 did do something with mbuf tags that I'm suspicious of though. IPv6 fragments are the biggest pain point we have on the freebsd.org cl= uster -=20 yes, we use pf and IPv6 extensively, but dns with ipv6 involved is real= ly=20 painful without fragment support. We sort-of work around it by using dedicated IPv6 address that has noth= ing but=20 the dns resolver clients and allow ipv6 fragments to it. Its not idea= l but=20 it gets over the worst problems. The other thing we had to do for usability is stop state tracking for u= dp dns=20 =2D the sheer update rate was causing collisions and state drops / resets= of=20 other connections to the point of being really hard to use. Those two tweaks - stopping heavy dns use from thrashing the state tabl= es, and=20 having a safe place to send fragments makes it quite usable for freebsd= .org. But, lack of ipv6 fragment processing still causes ongoing pain. That'= s our=20 #1 wish list item for the cluster. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart3427830.U7ikdp9xGS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABAgAGBQJTyzCPAAoJEDXWlwnsgJ4ENfwIAM511S17Z8Opm8NMlbIr5kyP Iuc4Mm/BdCvCXjydSfdznyXDceWRWyJYTPByq2i+Au3PJ/m67x9gXf5pZkCbgNnn 0x5JjrLFoXorboL+F0Gp5m+bTAIu9Dkr/nRJ87+22OX/8noO3rGK4KnaNn0A69lu URRHNNwUQ5MS9f8L21pqJDICDqoNu1VvjnMNERygTKnG31who5t8id93GTqzpiZ1 c7pxCXnUPx/CZ0WiYeqY3YjOtA+KdzyJD/4QBIQcaTh3Eo3Ij1sEL6K8VOTi0k3t 6mSbZjn5VWZI08iRpKdpU0fWgUqSs3AQIzQNwxToD+5DMLp6BPKGQhk0zQKhz64= =F+xL -----END PGP SIGNATURE----- --nextPart3427830.U7ikdp9xGS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20381608.Hhy3QfhrOP>