From owner-freebsd-current@FreeBSD.ORG Sun Jul 20 17:41:44 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7FAFE52E; Sun, 20 Jul 2014 17:41:44 +0000 (UTC) Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2552A2A20; Sun, 20 Jul 2014 17:41:44 +0000 (UTC) Received: by mail-qg0-f45.google.com with SMTP id f51so4671185qge.32 for ; Sun, 20 Jul 2014 10:41:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type; bh=5EfLr72leaFUWVVnmlnrdgolJC/XAVrKYN1/thLF+5Y=; b=AJyvi20Py8kyGyqOnVXTdC7a3gBImEqOFH1O8hwAAbSe+PBj+ec7W84aB7iN7f3/6x EcsJC4o8+juEy5AarHsX6hnnWnqWwUG+yaY2sWqgOIf2uJwGH7fJ8elHONZDYsPaC7lK akWriI21SxBGTxzyqG2IlWBe5HEULZgeghFJQzJZrBOSFxpwxj824pk3JruMtBZAWtrw 1Bk2qzMLIngCkjd7b7xJuQbDHWKYOmb++0taYWYlJkC/rVUZ/yA5CBRVaTajZ1gUz4m9 zOeS8sTd2vF9RRmHnYBrnmQ6+jRkucQd4nP4XlXbf0sw6Az49goFlDRqfurcQNdzW93c QUdg== X-Received: by 10.224.120.68 with SMTP id c4mr32978794qar.17.1405878100735; Sun, 20 Jul 2014 10:41:40 -0700 (PDT) Received: from kan ([2601:6:6780:780:226:18ff:fe00:232e]) by mx.google.com with ESMTPSA id w15sm5535761qay.34.2014.07.20.10.41.39 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Sun, 20 Jul 2014 10:41:39 -0700 (PDT) Date: Sun, 20 Jul 2014 13:41:33 -0400 From: Alexander Kabaev To: Maxim Khitrov Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <20140720134133.1d30f725@kan> In-Reply-To: References: <53C706C9.6090506@com.jkkn.dk> <20140718110645.GN87212@FreeBSD.org> <20140718151255.b3e677d9.gerrit.kuehn@aei.mpg.de> <53CA2D39.6000204@sasktel.net> <20140720123916.GV96250@e-new.0x20.net> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/++vyFsvIt9zzPRWKWP8QWOz"; protocol="application/pgp-signature" Cc: freebsd-current@freebsd.org, FreeBSD Mailing List X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2014 17:41:44 -0000 --Sig_/++vyFsvIt9zzPRWKWP8QWOz Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 20 Jul 2014 10:15:36 -0400 Maxim Khitrov wrote: > On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels > wrote: > > On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote: > >> all of that is true, but you are missing the point. Having two > >> versions of pf on the bsd's at the user level, is a bad thing. It > >> confuses people, which puts them off. Its a classic case of divide > >> an conquer for other platforms. I really like the idea of the > >> openpf version, that has been mentioned in this thread. It would > >> be awesome if it ended up as a supported linux thing as well, so > >> the world could be rid of iptables. However i guess thats just an > >> unrealistic dream > > > > And you don't seem to get the point that _someone_ has to do the > > work. No one has stepped up so far, so nothing is going to change. >=20 > Gleb believes that the majority of FreeBSD users don't want the > updated syntax, among other changes, from the more recent pf versions. > Developers who share his opinion are not going to volunteer to do the > work. This discussion is about showing this belief to be wrong, which > is the first step in the process. >=20 > In my opinion, the way forward is to forget (at least temporarily) the > SMP changes, bring pf in sync with OpenBSD, put a policy in place to > follow their releases as closely as possible, and then try to > reintroduce all the SMP work. I think the latter has to be done > upstream, otherwise it'll always be a story of diverging codebases. > Furthermore, if FreeBSD developers were willing to spend some time > improving pf performance on OpenBSD, then Henning and other OpenBSD > developers might be more receptive to changes that make the porting > process easier. I am one person whose opinion Gleb got completely right - I could not care less about new syntax nor about how close or how far are we from OpenBSD, as long as pf works for my purposes and it does. This far into the thread and somebody has yet to provide a comprehensive list of the benefits that we allegedly miss, or to come up with the real benchmark result to substantiate the performance claims. Focusing on disproving anything Gleb might be believing in on the matter, while an interesting undertaking, does nothing to give you new pf you supposedly want. Doing the work and bringing it all the way to will completeness for commit - does.=20 It was stated repeatedly by multiple people that FreeBSD's network stack is way too different from OpenBSD, we support features OpenBSD doesn't and vice versa, vimage is a good example, which throws a giant wrench into the plan of following OpenBSD 'as closely as possible', even as the expense of throwing away all of the SMP work done in pf to date. --=20 Alexander Kabaev --Sig_/++vyFsvIt9zzPRWKWP8QWOz Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iD8DBQFTy/9SQ6z1jMm+XZYRAn0GAKDXvnHXIr64YIDshctzEfJSgV0k6gCeKgJy 7C0eBgBVqfRkkMiSxw4rP6U= =yly+ -----END PGP SIGNATURE----- --Sig_/++vyFsvIt9zzPRWKWP8QWOz--