From owner-freebsd-pf@FreeBSD.ORG Thu Nov 22 15:35:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B4648DC for ; Thu, 22 Nov 2012 15:35:37 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8F6C68FC13 for ; Thu, 22 Nov 2012 15:35:36 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id 12so3996859wgr.31 for ; Thu, 22 Nov 2012 07:35:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=2cdHlkHrEri3Ootj4F6DosutwpclROshFkovuGo+wEM=; b=f94EqmtbSRuWoTsueXh8c6sjq6U7a4AKdavwGcIdIxwwPwIJyQ7Zah06T6s9uQjtqm TAzuaqNvTVP+ig5kHkYuEaAhU3a9zTgheL5Q5k/N7GjOnGSkjyfK/vhp3ta5uZ/6UgMa joTfaZ9E3oK2rGoBRWWr5D2dWhsNAXtduQCj/OqwROrsX01Ejuu1lQ4nSIJ5vIWALq4o LM7qfuCyCUNf0KbR/QKA2NBypttx8ibOqxq1EyX/O0VmtBLuEkI/oGRigU7PM5J3Iujd uqTQSOQKmQALeP5XieYZwPs8665LTLnDcTr6WKy3Lx7HWFowppq8TiCoNms74L2FadcP u4Nw== Received: by 10.216.213.164 with SMTP id a36mr418116wep.57.1353598528307; Thu, 22 Nov 2012 07:35:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.81.193 with HTTP; Thu, 22 Nov 2012 07:34:57 -0800 (PST) In-Reply-To: References: From: Maxim Khitrov Date: Thu, 22 Nov 2012 10:34:57 -0500 Message-ID: Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. To: =?UTF-8?Q?Ermal_Lu=C3=A7i?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkahdT1nBJ3FSKEWUevboDw9EcTXNPIQfhLZqZU3j4e5lDzfPi78YuPAJlnTQJbZCBKkQEY Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 15:35:37 -0000 On Thu, Nov 22, 2012 at 10:00 AM, Ermal Lu=C3=A7i wrote: > On Thu, Nov 22, 2012 at 3:13 PM, Ian FREISLICH wrote: > >> =3D?ISO-8859-1?Q?Ermal_Lu=3DE7i?=3D wrote: >> > On Tue, Nov 20, 2012 at 9:07 AM, Sami Halabi wrot= e: >> > > This was actually discussed much before, as I read it would make som= e >> > > issues with the new pf-smp work done by gleb. >> > > >> > Not really since Gleb just changed the locking and nothing else. >> > All his work is under the hood. >> > >> > He actually broke if-bound state but that's another story. >> >> Do you have more details on this? We use ifbound state in production >> and I haven't noticed any issues with ifbound state, the way that >> we use it. >> >> Well 'broken' is maybe not the good word depending on the context. > The issue is that if-bound state in HEAD is a null op. > Since every state goes into the hash buckets. > > Before with if-bound states a state will be bound to an interface so a > packet coming/going from/to another interface would not match. > Also would give some resilience with dynamic interfaces. > > Today its a null op. So it voids the keyword which should be deprecated i= n > FreeBSD or should be reintroduced! > Also it may break people assumptions on it. So I take it that "set state-policy if-bound" will no longer have any effect either? Is this expected to hit 10.0-RELEASE? It's definitely not ok to break this functionality. SMP changes are far less valuable than being able to filter each packet on ingress and egress. - Max