From owner-freebsd-hackers@FreeBSD.ORG  Fri Jan  2 16:53:37 2015
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 537F85DF;
 Fri,  2 Jan 2015 16:53:37 +0000 (UTC)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com
 [IPv6:2a00:1450:400c:c03::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D50FB1D60;
 Fri,  2 Jan 2015 16:53:36 +0000 (UTC)
Received: by mail-we0-f171.google.com with SMTP id u56so4742257wes.16;
 Fri, 02 Jan 2015 08:53:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=FwyOTiNWNVty8e339TSGAG2X7xDgOiui5LGZ3BmcVfM=;
 b=yxMMPf5eWLJSkjFfFVwGXAAeeW/3pKUIe8XjT43rWV/CfQh2j0wu5HzCUTj/dIq922
 K1Veka7NKkISBqrBaNe48KfrkPAbpDKgSfK2i3FDKID7culS9EzBD7LJFxsRoek057rH
 wrxKsBmZaRjM1AaLIlMJUmxuayGG9AgsuRVJVkpHnp0f5vQePlKilSIIplx4Hoo20DHt
 Va7urX470fQN6c+Qdi0NOtVhbfK++hUHs98rQRA9wz66NzeQHWbrmtERZ6iOcVikTzEi
 Qmt1RjhhSPNTmn/NTf70amqGODJEo3NImcBANsx9lM1XVNRpxm5gyavvDsGAhbxUdRU5
 BL8w==
MIME-Version: 1.0
X-Received: by 10.180.87.36 with SMTP id u4mr132813187wiz.20.1420217614940;
 Fri, 02 Jan 2015 08:53:34 -0800 (PST)
Sender: adrian.chadd@gmail.com
Received: by 10.216.41.136 with HTTP; Fri, 2 Jan 2015 08:53:34 -0800 (PST)
In-Reply-To: <1420213273.622796.208841861.04300699@webmail.messagingengine.com>
References: <1419995051.3716640.208176841.1676669A@webmail.messagingengine.com>
 <1420213273.622796.208841861.04300699@webmail.messagingengine.com>
Date: Fri, 2 Jan 2015 08:53:34 -0800
X-Google-Sender-Auth: 0LCd7GzYfP5VZjR5YNWsS3OVZjg
Message-ID: <CAJ-VmokPepw8K7Cu1-z5YVRCETKPf28VXhGx8u2cD-23TAMnFA@mail.gmail.com>
Subject: Re: [FreeBSD 11 Wishlist] Replacing an OpenBSD Firewall
From: Adrian Chadd <adrian@freebsd.org>
To: Mark Felder <feld@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 16:53:37 -0000

On 2 January 2015 at 07:41, Mark Felder <feld@freebsd.org> wrote:
> UPDATE:
>
> I have everything working except QoS, so thanks for the 6rd gif tunnel
> workaround Nathan. ALTQ being absent from GENERIC is another sore spot
> that should be investigated.

I'm waiting for Gleb to do up his ifnet changes so we can do ninja
replacements of altq with something that won't cause massive normal
performance problems even if it's not being used.

(altq isn't compatible with the if_transmit method of doing transmit
handling, so drivers that support altq end up implementing the older
if_start method - that's a single queue and simply locked. It just
doesn't work well for 10g and above.

> I've been encouraged to use ipfw and dummynet, but converting my
> firewall rules again is not something I'm enthusiastic about. I'll note
> that FreeBSD is often praised for including pf while ipfw is completely
> overlooked; our own Handbook even puts pf before ipfw. That certainly
> sends a message that we may not be intending to send and should be
> considered carefully.

Well, I bet the handbook updates were written by a pf-loving person. :)

ipfw is pretty awesome today.


-adrian