Date: Tue, 8 Jul 2014 19:13:23 -0500 From: Jim Thompson <jim@netgate.com> To: "Kristian K. Nielsen" <freebsd@com.jkkn.dk> Cc: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? Message-ID: <278A1BF1-B2E9-4F88-A376-27BD2D10B40C@netgate.com> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> References: <53BC717C.9080108@com.jkkn.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 8, 2014, at 5:32 PM, Kristian K. Nielsen <freebsd@com.jkkn.dk> = wrote: > Hi all, >=20 > I am a happy user of the pf-firewall module and have been for years = and think it is really great but lately its getting a bit dusty. >=20 > The last few years, however, it seem that pf in FreeBSD got a long way = away from pf in OpenBSD where it originated and I am also continually = watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). I think if anything it=92s ipfilter that=92s getting a bit dusty, check = the thread from last year: http://lists.freebsd.org/pipermail/freebsd-net/2013-April/035207.html while ipfilter wasn=92t removed from 10, there wasn=92t a lot of = resolution, either. moreover, it is ipfw that is getting a lot of love (from luigi and = crew), not ipfilter. http://lists.freebsd.org/pipermail/freebsd-net/2012-August/032977.html https://code.google.com/p/netmap-ipfw/ > So I am curious if any on the mailing could elaborate about what the = future of pf in FreeBSD is. >=20 > a) First of all - are any actively developing pf in FreeBSD? Yes. glebius multithreaded pf for 10. eri and gleb continue to work = on it. gnn found an issue with the Jenkins hash recently, and proposed = a fix. work continues. > b) We are a major release away from OpenBSD (5.6 coming soon) - is = following OpenBSD's pf the past? All I can offer here is opinion. > c) We never got the new syntax from OpenBSD 4.7's pf - is that still = blocking us? =91blocking=92? http://lists.freebsd.org/pipermail/freebsd-pf/2013-June/007095.html > d) Anyone working on bringing FreeBSD up to 5.6? There was some brief discussion of same at vBSD (prompted by Henning=92s = rant after being pushed about his claims about the =93pf=94 in OpenBSD being faster than = the =93pf=94 in FreeBSD 10). This occurred both at ruBSD and vBSD http://tech.yandex.ru/events/yagosti/ruBSD/talks/1477/ (you can = skip to 29:51) http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (you can = skip to 33:18 and 36:53 for the salient bits) http://quigon.bsws.de/papers/2013/vbsdcon/ http://quigon.bsws.de/papers/2013/rubsd/ bapt apparently volunteered to attempt to bring the pf from a more = modern pf to FreeBSD. You=92ll have to ask him about status. You didn=92t ask, but Dragonfly also recently got some pf concurrency = work committed. http://lists.dragonflybsd.org/pipermail/commits/2014-June/270300.html > e) OpenBSD is retiring ALTQ entirely - any thoughts on that? > http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 >=20 > f) IPv6 support?- it seem to be more and more challenged in the = current version of pf in FreeBSD and I am (as well as others) = introducing more and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously = #124933, which is the bug on not handling IPv6 fragments which have been = open since 2008 and where the workaround is necessity to leave an open = hole in your firewall ruleset to allow all fragments. Occoring to = comment in the bug, this have been long gone in OpenBSD. Ermal is looking at #124933, because I think it=92s important to get = this fixed for pfSense. Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?278A1BF1-B2E9-4F88-A376-27BD2D10B40C>