From owner-freebsd-pf@FreeBSD.ORG Wed Jul 9 15:51:53 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7582FAA7 for ; Wed, 9 Jul 2014 15:51:53 +0000 (UTC) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2001:470:1d:8da::100]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 42B192CDC for ; Wed, 9 Jul 2014 15:51:53 +0000 (UTC) Received: from sentry.24cl.com (unknown [IPv6:2001:558:6017:a2:a860:3073:4c46:6ac9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3h7lPf6j9Gz1FQS for ; Wed, 9 Jul 2014 11:51:50 -0400 (EDT) Received: from BigBloat (bigbloat.24cl.home [10.20.1.4]) by sentry.24cl.com (Postfix) with ESMTP id 3h7lPd74k2z1C1k for ; Wed, 9 Jul 2014 11:51:49 -0400 (EDT) Message-ID: <201407091151450963.006631FA@smtp.24cl.home> In-Reply-To: <53BC717C.9080108@com.jkkn.dk> References: <53BC717C.9080108@com.jkkn.dk> X-Mailer: Courier 3.50.00.09.1098 (http://www.rosecitysoftware.com) (P) Date: Wed, 09 Jul 2014 11:51:45 -0400 From: "Mike." To: freebsd-pf@FreeBSD.org Subject: Re: Future of pf in FreeBSD ? - does it have one ? Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 15:51:53 -0000 On 7/9/2014 at 12:32 AM Kristian K. Nielsen wrote: |Hi all, | |I am a happy user of the pf-firewall module and have been for years and |think it is really great but lately its getting a bit dusty. | |The last few years, however, it seem that pf in FreeBSD got a long way |away from pf in OpenBSD where it originated and I am also continually |watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?). | |So I am curious if any on the mailing could elaborate about what the |future of pf in FreeBSD is. | |a) First of all - are any actively developing pf in FreeBSD? | |b) We are a major release away from OpenBSD (5.6 coming soon) - is |following OpenBSD's pf the past? | |c) We never got the new syntax from OpenBSD 4.7's pf - is that still |blocking us? | |d) Anyone working on bringing FreeBSD up to 5.6? | |e) OpenBSD is retiring ALTQ entirely - any thoughts on that? |http://undeadly.org/cgi?action=3Darticle&sid=3D20140419151959 | |f) IPv6 support?- it seem to be more and more challenged in the current |version of pf in FreeBSD and I am (as well as others) introducing more |and more IPv6 in networks. |E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, |which is the bug on not handling IPv6 fragments which have been open |since 2008 and where the workaround is necessity to leave an open hole |in your firewall ruleset to allow all fragments. Occoring to comment in |the bug, this have been long gone in OpenBSD. | |Hope to heard from you all, | |Best regards, | |Kristian Kr=E6mmer Nielsen, |Odense, Denmark =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I would like to see FreeBSD's pf get back to more closely tracking the OpenBSD pf. It seems like there was a major fork in order to implement the SMP-friendly FreeBSD version. While the increase in processing capability in the FreeBSD version is good, the falling behind in most of the other features (as noted on this thread) has been a pretty severe price to pay. For me, the newer syntax and features of the current OpenBSD pf.conf file, and better IPv6 support need to be reflected in the FreeBSD version of pf. It currently appears that the one SMP-friendly project on the FreeBSD version of pf has pretty much killed the ease with which FreeBSD pf can move forward, because the FreeBSD pf momentum has been lost by the removal of easier incorporation of the ongoing OpenBSD improvements to pf.