From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 15:30:21 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE76AF87 for ; Wed, 9 Jul 2014 15:30:21 +0000 (UTC) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C52292AA0 for ; Wed, 9 Jul 2014 15:30:21 +0000 (UTC) Received: by mail-pa0-f47.google.com with SMTP id kq14so9278743pab.6 for ; Wed, 09 Jul 2014 08:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1LGacMlNRqbvrSNr2ZKN2ecrt9RWIsEPYKVChKjy1Ic=; b=vs9RdYq5uxPNXjJ1nZnGig0v95RsgONIDlSYuCW0c8Ctu8ZxZ2Zz+xJn9XDgGiKEmd 9m0A41V5wOccNIqyCKWgFFEFCBHAJjtd4xnG4EYyGgsHZlC99uB1VyGzkbS/T9irBWtq G+pp0PgTr6s+RXvDO9aci77hTtEJ9g6NlfZy3DX3GCI7zBJCLBW78hHKEGc+TuOiZjQ0 Src+sDGmiGrGcDqCZEnHX0PcyLZSfxTyEozFFahQGW4Yon7LF74lymsv1r6XQuL8ThAw gu2Wzj0uSI1gRFiyBF8kguf8Q2W5673NEi9nFJdv3LlpHSUdYuTuzasZ7umHZNdzOdlu qqcQ== MIME-Version: 1.0 X-Received: by 10.68.181.165 with SMTP id dx5mr42189926pbc.38.1404919821298; Wed, 09 Jul 2014 08:30:21 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.70.38.14 with HTTP; Wed, 9 Jul 2014 08:30:21 -0700 (PDT) In-Reply-To: <53BD38C4.4050100@ijs.si> References: <53BC717C.9080108@com.jkkn.dk> <53BD38C4.4050100@ijs.si> Date: Wed, 9 Jul 2014 17:30:21 +0200 X-Google-Sender-Auth: mA5_lE9EWvyGzMNaZ1Q4fNjlFKY Message-ID: Subject: Re: Future of pf in FreeBSD ? - does it have one ? From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Mark Martinec Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 15:30:22 -0000 On Wed, Jul 9, 2014 at 2:42 PM, Mark Martinec wrote: > On 2014-07-09 0:32, Kristian K. Nielsen wrote: > >> f) IPv6 support?- it seem to be more and more challenged in the current >> version of pf in FreeBSD and I am (as well as others) introducing more >> and more IPv6 in networks. >> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, >> which is the bug on not handling IPv6 fragments which have been open >> since 2008 and where the workaround is necessity to leave an open hole >> in your firewall ruleset to allow all fragments. Occoring to comment in >> the bug, this have been long gone in OpenBSD. >> > > The neglect of IPv6 in FreeBSD's pf is a real deal-breaker for us. > Besides the long-standing bugs (like: scrub reassemble tcp > breaks CRC on IPv6), the following stands out: > > Can you be a bit more verbose on this one? > - last time I looked, neither PF nor IPFW could be used on a > FreeBSD kernel built WITHOUT_INET. This means that features > like ssh-guard and per-application protection on a dedicated > IPv6-only host are not available > > I am not sure on the version in FreeBSD 10 but on FreeBSD 9 and before it should be possible to compile without INET afair! Which version of FreeBSD are you testing this on? > - no support for IPv6 prefix translation, > and no stateful NAT64 support > > Part of this is on my queue to be integrated from Open, soon! > > Then, unrelated to IPv6: > > - no support for DSCP (the TOS byte includes ECN bits, hard to > filter out) > > - the new 'match' mechanism would be really nice to have > > All of this is on pfSense side implemented. I cannot state the clear timeline of integration into FreeBSD but patches are avilable for pf from pfSense. > > Mark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal