From owner-freebsd-pf@freebsd.org Tue Aug 20 12:32:10 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 723C1D10BF for ; Tue, 20 Aug 2019 12:32:10 +0000 (UTC) (envelope-from tom.marcoen@gmail.com) Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CVY61SQrz4JRc; Tue, 20 Aug 2019 12:32:09 +0000 (UTC) (envelope-from tom.marcoen@gmail.com) Received: by mail-lj1-x244.google.com with SMTP id x3so4942867lji.5; Tue, 20 Aug 2019 05:32:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e/nLX7NtXG7HkygKllF5oKjj5VJFfUNLU/CU7ijPz9s=; b=t+jWi/xeM0szqeXLvYCE8JqlZWAkURC2WSU/Vr4vdWam4EDzle/LxQeWhsYgT6w8AT AOmbaoo4KKGuwhCBLXWf4PsmjC9i9GUXx9Fp1bmzhgUFKAPzSX6cIgHKfzzlSkxgtEAm dintxwHQh/61jySZW6M6DTMuuwwstP7QMRzNvDJz3T64s8YfbfXp7bVLvWTJawgo+ASj 5Ba7vKTqDLogT033i+smnJeRY+cr1ghC/nSFNSv9SMVh2dpIkOygj/bYrjPZ1u5CI1vg j0/sa6t/syj9+QrmkBPBtO4azU1nOiFB97J6GpgqZ3VxB9A7nUxQJdmSnIU4slvMVs1a erpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e/nLX7NtXG7HkygKllF5oKjj5VJFfUNLU/CU7ijPz9s=; b=OkErmxHfM/o4hqz+3+n9vYr69HbMHNWvwblFQCa2NqJCg/GCnK48XIAivJh/47q8JE UsHeNoF1f7vI/sDyglAZZqDy7GcLH9Dj5TavC5qGim7rwPC04ov7v9bpWHnFOjVCRlHi c3JKIqVHO6VwezxVBvWBVguyvVxudlXCFm8ysPVWfQdEokKId/dQhFYMrr0hC1DbKqTT 2bmEeyL0SaTPSpTou68VR6Rc36jddxohBcT5EQJzYo4C0zJ9N0w/8A9HIlSlCOsKI+Nq 1hUUODTjMnLsqre9u+A76PPjJFWHe00VA+ET8kD+Wm4evCXnTPyomasn5Svp+7Ema+E8 aSqw== X-Gm-Message-State: APjAAAVz124y41scqBAYCWZTHA8NPj/YGYpDUzNU+NkTkgwRCiXrpFeO 5VbmTPcm1/2hngoOu7npu7aSu2oi8MuPPsh+Q4Djd46vua4= X-Google-Smtp-Source: APXvYqwzC1P1I8S0sw16Zj4k0HIUAyt6NnrT+VD8QG6qWvIHf11rHRB247tTkL2gZE5R8x7AdPHBabDN506Cl98U/Zg= X-Received: by 2002:a2e:8744:: with SMTP id q4mr15398266ljj.77.1566304328007; Tue, 20 Aug 2019 05:32:08 -0700 (PDT) MIME-Version: 1.0 References: <85968D92-66E6-4024-83C9-D82C115A35FE@FreeBSD.org> <20190820103214.tc5x23tjiecp3kkx@hal9000.home.meka.rs> <9723E5F9-8883-4629-9B32-2485F57E89AA@FreeBSD.org> In-Reply-To: <9723E5F9-8883-4629-9B32-2485F57E89AA@FreeBSD.org> From: Tom Marcoen Date: Tue, 20 Aug 2019 14:31:56 +0200 Message-ID: Subject: Re: Update to PF from OpenBSD 6.5 To: Kristof Provost Cc: =?UTF-8?B?R29yYW4gTWVracSH?= , mlaier@freebsd.org, freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 46CVY61SQrz4JRc X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.985,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 12:32:10 -0000 Hey Kristof, Thatnk you for your very thorugh explanation! It is very interesting to read that FreeBSD's PF is, in some ways, "better" than OpenBSD's (with regards to scalability). It was also very simplistic to state FreeBSD's version of PF essentially equals OpenBSD 4.1's version. I made this statement based on the information on http://pf4freebsd.love2party.net/: " In HEAD - pf is at OpenBSD 4.1 - at this time." Of course this website might be outdated (it gives a date of March 8, 2004!) but it also presents it in a very simplistic manner. Anyway, thanks again for the many insights. On Tue, 20 Aug 2019 at 13:06, Kristof Provost wrote: > On 20 Aug 2019, at 12:32, Goran Meki=C4=87 wrote: > > On Tue, Aug 20, 2019 at 11:49:18AM +0200, Kristof Provost wrote: > > One thing I=E2=80=99ve thought of trying, and that might be an interestin= g stepping > stone, is to create a port (/usr/ports/net/opf or whatever) of OpenBSD=E2= =80=99s > pf. > In that version it=E2=80=99d be acceptable to not fix any of the above is= sues. It=E2=80=99d > still give users to option of getting the new syntax. I=E2=80=99d expect = this to be > a relatively straightforward exercise. > > That would be cool, but only if FreeBSD PF can not be "fixed" to support > OpenBSD PF syntax. > > The main issue there is one of compatibility. How happy will our users be > if their rulesets suddenly stop working after an upgrade? > > Anyway, none if this is on my active todo list. Don=E2=80=99t expect to s= ee it any > time soon. > > In principle there=E2=80=99s nothing to stop us from doing that same work= in base, > but we=E2=80=99re **NOT** going to import a fourth firewall. We=E2=80=99r= e just not. > > Are you sure? https://2019.eurobsdcon.org/talk-speakers/#NPF. At least I > hope the import is pfil based. > > I don=E2=80=99t know what George=E2=80=99s plans are exactly, but it=E2= =80=99s likely that he=E2=80=99s > doing the porting work to get an apples-to-apples comparison of firewall > performance, not because he wants to maintain another firewall. > Either way, I=E2=80=99m not pushing for another firewall. George gets to = own one > if he wants to. > > Regards, > Kristof >