From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 00:15:20 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B0679B1 for ; Wed, 9 Jul 2014 00:15:20 +0000 (UTC) Received: from mail-ob0-f178.google.com (mail-ob0-f178.google.com [209.85.214.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 318192691 for ; Wed, 9 Jul 2014 00:15:19 +0000 (UTC) Received: by mail-ob0-f178.google.com with SMTP id wn1so7287069obc.23 for ; Tue, 08 Jul 2014 17:15:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=3h/Lx9cf2p1oBp+ofnfBUtPBRzAUbEFZ7b4RBIlgIUM=; b=dsnwqXp3GEfAptMZ7Kq/MyjNlh5TSNjiyhkXKPbmUJ3JzDf8qydi4sldPqujuMlO4v h9Fjut+WF3oOjiHrEFcHslP6ySDugjXIlVhi2uuXTSP2scAZbiFaHcJWVnUU/rP96iST 9nYsAX6FO1bJnzHZR3KLIKSdkVwCug0U9Kaf4Ik4M2xSqmHlpVD++icpelaowv8c4P/5 txNLO28n6TC1ODtrzhLIyXHRJNMqTqBvlO0hjeAfr6DBGQ89+mNvTO+bzH7D6rv3yz5d MjOneSZA5aOpUWDKoa3N2a4uNBdrMYrvetiCWVeuHkRlk3E3SDz1FBypjfcLIisr75iy u6eA== X-Gm-Message-State: ALoCoQnH+7txVPwnEAiaD+MwGJ9rtP0J4fQ1WXltSQNukyK50qpsjJgHwb/2bkPIkgPBOr386pp8 X-Received: by 10.60.63.3 with SMTP id c3mr42872399oes.16.1404864912616; Tue, 08 Jul 2014 17:15:12 -0700 (PDT) Received: from ?IPv6:2610:160:11:33:883a:2c99:2ffc:148c? ([2610:160:11:33:883a:2c99:2ffc:148c]) by mx.google.com with ESMTPSA id y1sm89636148obs.27.2014.07.08.17.15.07 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 08 Jul 2014 17:15:07 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: Future of pf in FreeBSD ? - does it have one ? From: Jim Thompson In-Reply-To: <53BC717C.9080108@com.jkkn.dk> Date: Tue, 8 Jul 2014 19:13:23 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <278A1BF1-B2E9-4F88-A376-27BD2D10B40C@netgate.com> References: <53BC717C.9080108@com.jkkn.dk> To: "Kristian K. Nielsen" X-Mailer: Apple Mail (2.1878.2) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 00:15:20 -0000 On Jul 8, 2014, at 5:32 PM, Kristian K. Nielsen = wrote: > Hi all, >=20 > I am a happy user of the pf-firewall module and have been for years = and think it is really great but lately its getting a bit dusty. >=20 > The last few years, however, it seem that pf in FreeBSD got a long way = away from pf in OpenBSD where it originated and I am also continually = watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). I think if anything it=92s ipfilter that=92s getting a bit dusty, check = the thread from last year: http://lists.freebsd.org/pipermail/freebsd-net/2013-April/035207.html while ipfilter wasn=92t removed from 10, there wasn=92t a lot of = resolution, either. moreover, it is ipfw that is getting a lot of love (from luigi and = crew), not ipfilter. http://lists.freebsd.org/pipermail/freebsd-net/2012-August/032977.html https://code.google.com/p/netmap-ipfw/ > So I am curious if any on the mailing could elaborate about what the = future of pf in FreeBSD is. >=20 > a) First of all - are any actively developing pf in FreeBSD? Yes. glebius multithreaded pf for 10. eri and gleb continue to work = on it. gnn found an issue with the Jenkins hash recently, and proposed = a fix. work continues. > b) We are a major release away from OpenBSD (5.6 coming soon) - is = following OpenBSD's pf the past? All I can offer here is opinion. > c) We never got the new syntax from OpenBSD 4.7's pf - is that still = blocking us? =91blocking=92? http://lists.freebsd.org/pipermail/freebsd-pf/2013-June/007095.html > d) Anyone working on bringing FreeBSD up to 5.6? There was some brief discussion of same at vBSD (prompted by Henning=92s = rant after being pushed about his claims about the =93pf=94 in OpenBSD being faster than = the =93pf=94 in FreeBSD 10). This occurred both at ruBSD and vBSD http://tech.yandex.ru/events/yagosti/ruBSD/talks/1477/ (you can = skip to 29:51) http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (you can = skip to 33:18 and 36:53 for the salient bits) http://quigon.bsws.de/papers/2013/vbsdcon/ http://quigon.bsws.de/papers/2013/rubsd/ bapt apparently volunteered to attempt to bring the pf from a more = modern pf to FreeBSD. You=92ll have to ask him about status. You didn=92t ask, but Dragonfly also recently got some pf concurrency = work committed. http://lists.dragonflybsd.org/pipermail/commits/2014-June/270300.html > e) OpenBSD is retiring ALTQ entirely - any thoughts on that? > http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 >=20 > f) IPv6 support?- it seem to be more and more challenged in the = current version of pf in FreeBSD and I am (as well as others) = introducing more and more IPv6 in networks. > E.x. Bugs #179392, #172648, #130381, #127920 and more seriously = #124933, which is the bug on not handling IPv6 fragments which have been = open since 2008 and where the workaround is necessity to leave an open = hole in your firewall ruleset to allow all fragments. Occoring to = comment in the bug, this have been long gone in OpenBSD. Ermal is looking at #124933, because I think it=92s important to get = this fixed for pfSense. Jim