From owner-freebsd-current@FreeBSD.ORG Tue Jul 29 11:23:10 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D0E351D3 for ; Tue, 29 Jul 2014 11:23:10 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B1682D28 for ; Tue, 29 Jul 2014 11:23:08 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.9/8.14.9) with ESMTP id s6TBN6vf032475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 29 Jul 2014 15:23:06 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.9/8.14.9/Submit) id s6TBN6kn032474 for freebsd-current@freebsd.org; Tue, 29 Jul 2014 15:23:06 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 29 Jul 2014 15:23:06 +0400 From: Gleb Smirnoff To: freebsd-current@freebsd.org Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <20140729112306.GF89995@FreeBSD.org> References: <53C706C9.6090506@com.jkkn.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53C706C9.6090506@com.jkkn.dk> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 11:23:10 -0000 Yet another top reply to everyone. If anyone is interested in maintaining our FreeBSD version of pf and taking strategically right (my opinion!) steps in its life, here is a short TODO list: 1) Make Peter and FreeBSD cluster happy. Work on the IPv6 fragments handling. IMHO, the right way would be understanding the problem in its depth and writing code yourself taking ideas or code snippets from OpenBSD. Do not try blindly to replay all their commits over our tree. 2) Do massive API/ABI cleanup. I had started the process, but did less than 10% of it. We need to stop sharing structures between pf internals and ioctls. All kernel structures should live in pfvar.h, and all API in pf.h. The userland utilities should forget pfvar.h. This is huge task. No performance benefit, no new shiny features. But this is strategically correct, if we want a good support of pf in stable branches. Right now we can't merge any feature back due to breaking ABI. Even fixing bugs usually would require ABI breakage. Also, after completing the cleanup and header split further development would become easier. 3) Right now the hot point of contention is the pf_rules_rwlock. It is reader-vs-reader contention on the cache line. Eliminating it would bring a good performance gain on SMP. This would probably require an RCU-like management of rules. Fortunately, the rules in pf a changed in "one commit", unlike in ipfw rule by rule. 4) Convert all counters in pf to counter(9). That would be next point of contention once 3) is done. *) Cherry pick any feature you need from OpenBSD. This requires understanding code. Replaying commits won't work. P.S. I'm sorry for saying what should be done without doing that myself. I've spent quite a lot of time on pf, I was promised funding for that and later deceived. Real life changes like new job, children, etc. shifted my focus away from pf and I simply can't dedicate the amount of time to pf that I used before. -- Totus tuus, Glebius.