From owner-freebsd-questions@FreeBSD.ORG Fri Jul 18 11:06:55 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3AAE0D30; Fri, 18 Jul 2014 11:06:55 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B4E982657; Fri, 18 Jul 2014 11:06:54 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.9/8.14.9) with ESMTP id s6IB6k1w023214 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 18 Jul 2014 15:06:46 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.9/8.14.9/Submit) id s6IB6jdS023213; Fri, 18 Jul 2014 15:06:45 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 18 Jul 2014 15:06:45 +0400 From: Gleb Smirnoff To: "Kristian K. Nielsen" Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <20140718110645.GN87212@FreeBSD.org> References: <53C706C9.6090506@com.jkkn.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <53C706C9.6090506@com.jkkn.dk> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-current@freebsd.org, freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2014 11:06:55 -0000 Kristian, On Thu, Jul 17, 2014 at 01:12:09AM +0200, Kristian K. Nielsen wrote: K> a) First of all - are any actively developing pf in FreeBSD? No one right now. K> b) We are a major release away from OpenBSD (5.6 coming soon) - is K> following OpenBSD's pf the past? - should it be? Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port, and also pf in OpenBSD has no multi thread support. K> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a K> long discussion on the pf-mailing list flamed the new syntax saying it K> would cause FreeBSD administrators too much headache. Today on the list K> it seems everyone wants it - so would we rather stay on a dead branch K> than keep up with the main stream? The pf mailing list is about a dozen of active people. Yes, they are vocal on the new syntax. But there also exist a large number of common FreeBSD users who simply use pf w/o caring about syntax and reading pf mailing list. If we destroy the syntax compatibility a very large population of users would be hurt, for the sake of making a dozen happy. K> d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the K> pf-list. See b). K> e) OpenBSD is retiring ALTQ entirely - any thoughts on that? K> http://undeadly.org/cgi?action=article&sid=20140419151959 We have plan on retiring the interface queues entirely. So, interfaces would have only a transmit method. However, we could make it pluggable: a altq_transmit is plugged in place of standard transmit. This will keep ALTQ in system, but w/o any affect on the rest of the stack. Very much like the pfil(9) interface cleansed up the network stack from ipfw/ipfilter hooks. This needs developer power, however. K> f) IPv6 support?- it seem to be more and more challenged in the current K> version of pf in FreeBSD and I am (as well as others) introducing more K> and more IPv6 in networks. K> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, K> which is the bug on not handling IPv6 fragments which have been open K> since 2008 and where the workaround is necessity to leave an completely K> open hole in your firewall ruleset to allow all fragments. According to K> comment in the bug, this have been long gone in OpenBSD. Yes. This hurts a lot of people and needs manpower to be solved. K> g) Performance, can we live with pf-performance that compared to OpenBSD K> is slower by a factor of 3 or 4, even after the multi-core support in K> FreeBSD 10? K> (Henning Brauer noted that in this talk at K> http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and K> 36:53)) - credit/Jim Thompson I was there. Henning Brauer impudently called "a lies" a fact that was carefully measured and provided with enough details (CPU, NIC, testing technique, configuration), so that anyone can reproduce and check that [1]. In next 10 seconds Henning Brauer claimed that on a single core OpenBSD is faster by a factor of 3 or 4, providing absolutely no test data. Impudently crying "Lies!" achieving approving laughter from the audience is a politian way of discussion. Uncorroborated claims, where predictions vary by 33%, is also politian tool. Henning definitely could made a carreer. Scientific way of discussion is making an experiment, publishing results and experiment details, so that anyone can reproduce. P.S. Not speaking about who cares about single core performance today? K> h) Bringing back patches from pfSense? Possible if they are useful and license permits. Again, manpower required. K> And my most important question: K> K> * Should this or could this be a project for the foundation to either do K> a summer project or funded project to bring this part of the OS up to date? First, we need a person, then we need funding. In late 2012, when I finished the pf-smp project, I was seeking for funding to continue. Couple negotiations failed. Now I lost the momentum on pf and switched to other tasks, so I am not available. [1] I mean the testing made by Olivier Cochard Labbé. https://twitter.com/ocochardlabbe/status/401349027960082432/photo/1 More details in mailing list archives, or you can request from Olivier. -- Totus tuus, Glebius.