From owner-freebsd-current@FreeBSD.ORG Sun Jul 20 02:59:28 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 898BE4DD; Sun, 20 Jul 2014 02:59:28 +0000 (UTC) Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 677AB2732; Sun, 20 Jul 2014 02:59:28 +0000 (UTC) Received: from overcee.wemm.org (canning.wemm.org [192.203.228.65]) by smtp2.wemm.org (Postfix) with ESMTP id 27CD47D7; Sat, 19 Jul 2014 19:59:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1405825168; bh=nEIsIQsAn1lOyw4ybKvCXWe8KZEIosWxU4J4D3YJrs4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=d5kpHrXylY2FQwhkSp22As0ITTkEXt4akvxR/EH0IJyZ+IwxTC35eU2VOMCrvkEe9 I7RckblGSVseyI2aucl3cMA1+5ewj0zPhiZQln6mY2ZNmm2Oqgo1g2xWt8vBPcVYE3 3LEGwMUGnM7E/2/Fnvd3O+GaO011172EocRvOQ68= From: Peter Wemm To: freebsd-current@freebsd.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Date: Sat, 19 Jul 2014 19:59:23 -0700 Message-ID: <20381608.Hhy3QfhrOP@overcee.wemm.org> User-Agent: KMail/4.12.5 (FreeBSD/11.0-CURRENT; KDE/4.12.5; amd64; ; ) In-Reply-To: <20140719110652.GR28314@ivaldir.etoilebsd.net> References: <53C706C9.6090506@com.jkkn.dk> <53C973EA.5090104@freebsd.org> <20140719110652.GR28314@ivaldir.etoilebsd.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3427830.U7ikdp9xGS"; micalg="pgp-sha1"; protocol="application/pgp-signature" Cc: Baptiste Daroussin , Allan Jude X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 02:59:28 -0000 --nextPart3427830.U7ikdp9xGS Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote: > On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote: > > On 2014-07-18 15:07, Adrian Chadd wrote: > > > On 18 July 2014 07:34, krad wrote: > > >> that is true and I have not problem using man pages, however tha= ts not > > >> the > > >> way most of the world work and search engines arent exactly new = either. > > >> We > > >> should be trying to engage more people not less, and part of tha= t is > > >> reaching out. > > >=20 > > > Then do the port and maintain it. > > >=20 > > > The problem isn't the desire to keep things up to date, it's a la= ck of > > > people who want that _and_ are willing/able to do it _and_ are fu= nded > > > somehow. > > >=20 > > > So, please step up! We'll all love you for it. > > >=20 > > >=20 > > >=20 > > > -a > > > _______________________________________________ > > > freebsd-current@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > > To unsubscribe, send any mail to > > > "freebsd-current-unsubscribe@freebsd.org" > >=20 > > At vBSDCon Bapt@ volunteered to port the newer pf back to FreeBSD, = after > > spending some hours driving with Henning. >=20 > I tried and broke pf for month and my changes have been reverted, thi= s is > not as simple as it looks like, our code as diverge a lot in some par= t and > we do support things that openbsd does not (vimage). Sync features re= quires > us to be very careful, my priorities went elsewhere since that time, = so now > I will probably only focus on bringing features I care about, and not= the > entirely new pf. >=20 > So no do not count me as volunteer to maintain pf, I ll probably do s= ome > work but not a full sync. If anyone is looking for a really useful chunk to work on, please go ba= ck over=20 the pf history in openbsd and find where they added ipv6 fragment suppo= rt. It=20 was fairly well contained and didn't appear to be a big deal to port. = They=20 did do something with mbuf tags that I'm suspicious of though. IPv6 fragments are the biggest pain point we have on the freebsd.org cl= uster -=20 yes, we use pf and IPv6 extensively, but dns with ipv6 involved is real= ly=20 painful without fragment support. We sort-of work around it by using dedicated IPv6 address that has noth= ing but=20 the dns resolver clients and allow ipv6 fragments to it. Its not idea= l but=20 it gets over the worst problems. The other thing we had to do for usability is stop state tracking for u= dp dns=20 =2D the sheer update rate was causing collisions and state drops / resets= of=20 other connections to the point of being really hard to use. Those two tweaks - stopping heavy dns use from thrashing the state tabl= es, and=20 having a safe place to send fragments makes it quite usable for freebsd= .org. But, lack of ipv6 fragment processing still causes ongoing pain. That'= s our=20 #1 wish list item for the cluster. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart3427830.U7ikdp9xGS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABAgAGBQJTyzCPAAoJEDXWlwnsgJ4ENfwIAM511S17Z8Opm8NMlbIr5kyP Iuc4Mm/BdCvCXjydSfdznyXDceWRWyJYTPByq2i+Au3PJ/m67x9gXf5pZkCbgNnn 0x5JjrLFoXorboL+F0Gp5m+bTAIu9Dkr/nRJ87+22OX/8noO3rGK4KnaNn0A69lu URRHNNwUQ5MS9f8L21pqJDICDqoNu1VvjnMNERygTKnG31who5t8id93GTqzpiZ1 c7pxCXnUPx/CZ0WiYeqY3YjOtA+KdzyJD/4QBIQcaTh3Eo3Ij1sEL6K8VOTi0k3t 6mSbZjn5VWZI08iRpKdpU0fWgUqSs3AQIzQNwxToD+5DMLp6BPKGQhk0zQKhz64= =F+xL -----END PGP SIGNATURE----- --nextPart3427830.U7ikdp9xGS--