From owner-freebsd-pf@FreeBSD.ORG  Sun Dec  7 11:12:34 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B390E6C0
 for <freebsd-pf@freebsd.org>; Sun,  7 Dec 2014 11:12:34 +0000 (UTC)
Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F32F2E4
 for <freebsd-pf@freebsd.org>; Sun,  7 Dec 2014 11:12:34 +0000 (UTC)
Received: from pi by home.opsec.eu with local (Exim 4.82 (FreeBSD))
 (envelope-from <lists@opsec.eu>)
 id 1XxZlR-0004ti-6B; Sun, 07 Dec 2014 12:12:33 +0100
Date: Sun, 7 Dec 2014 12:12:33 +0100
From: Kurt Jaeger <lists@opsec.eu>
To: Martin Hanson <greencoppermine@yandex.com>
Subject: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP)
Message-ID: <20141207111233.GQ44537@home.opsec.eu>
References: <363021417833295@web21g.yandex.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <363021417833295@web21g.yandex.ru>
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2014 11:12:34 -0000

Hi!

> Nobody in their right mind would run the current version of PF on
> FreeBSD!

There was a big discussion on PF this summer, see

http://lists.freebsd.org/pipermail/freebsd-current/2014-July/051229.html

There are several issues why it can not easily be merged. The one
I remember was that the PF code is not suitable for multi-core use.
Today's hosts need multicore to keep up with line rates (and I have
a bunch of routers speaking BGP4 and running FreeBSD), so
something needs to be done in either direction.

There is an OpenBSD fork (!):

https://www.bitrig.org/

probably because the way OpenBSD handles its issues, and maybe
the multicore (vrs. old platform support) is one of them. So please do
not consider it an easy problem. It's hard.

-- 
pi@opsec.eu            +49 171 3101372                         6 years to go !