From owner-freebsd-questions@FreeBSD.ORG Wed Jul 23 19:59:34 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C982252B; Wed, 23 Jul 2014 19:59:34 +0000 (UTC) Received: from smtp-out-05.shaw.ca (smtp-out-05.shaw.ca [64.59.134.13]) by mx1.freebsd.org (Postfix) with ESMTP id 8C58F23E9; Wed, 23 Jul 2014 19:59:34 +0000 (UTC) X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=/MiPqmMwFv6ha2ZBybe0ZU9m+O5sXPp7gEUgHVyRzyY= c=1 sm=1 a=cQ5pcHtl6RgA:10 a=QrugwKR0C_UA:10 a=wAGQQ9Az6v0A:10 a=BLceEmwcHowA:10 a=ICAaq7hcmGcA:10 a=kj9zAlcOel0A:10 a=IbtKDeXwb2+SRU442/pi3A==:17 a=vaJtXVxTAAAA:8 a=BWvPGDcYAAAA:8 a=6I5d2MoRAAAA:8 a=lO9lM-zxv49cNtxdN1AA:9 a=CjuIK1q_8ugA:10 a=V7tsTZBp22UA:10 a=SV7veod9ZcQA:10 a=Uj3LN2fX6ISbhkOz:21 a=w_Mmgyt-bqWFDcGS:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO spqr.komquats.com) ([96.50.7.119]) by smtp-out-05.shaw.ca with ESMTP; 23 Jul 2014 13:59:33 -0600 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTP id D35B79BE8; Wed, 23 Jul 2014 12:59:32 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.14.9/8.14.9) with ESMTP id s6NJxVSO090905; Wed, 23 Jul 2014 12:59:31 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.14.9/8.14.8/Submit) with ESMTP id s6NJxUb6090902; Wed, 23 Jul 2014 12:59:31 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <201407231959.s6NJxUb6090902@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: "Andrey V. Elsukov" Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: Message from "Andrey V. Elsukov" of "Mon, 21 Jul 2014 15:12:22 +0400." <53CCF596.1070302@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 23 Jul 2014 12:59:30 -0700 Cc: Maxim Khitrov , freebsd-current@freebsd.org, FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2014 19:59:35 -0000 In message <53CCF596.1070302@yandex.ru>, "Andrey V. Elsukov" writes: > This is an OpenPGP/MIME signed message (RFC 4880 and 3156) > --EITUmaAVUtsHLdssNwHpA0G0W8jTQ9d3L > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > On 20.07.2014 18:15, Maxim Khitrov wrote: > > In my opinion, the way forward is to forget (at least temporarily) the > > SMP changes, bring pf in sync with OpenBSD, put a policy in place to > > follow their releases as closely as possible, and then try to > > reintroduce all the SMP work. I think the latter has to be done > > upstream, otherwise it'll always be a story of diverging codebases. > > Furthermore, if FreeBSD developers were willing to spend some time > > improving pf performance on OpenBSD, then Henning and other OpenBSD > > developers might be more receptive to changes that make the porting > > process easier. > > Even if you just drop current PF from FreeBSD, there is nobody, who want > to port new PF from OpenBSD. And this is not easy task, as you may > think. Gleb has worked on rewriting PF more than half year. So, return > back all improvements after import will be hard enough and, again, > nobody want to do it. :) One way or another something needs to be done and agreed it would be a lot of work. Our options are, a) Import OpenBSD pf thereby throwing away our current investment in pf. All our work to get it up to snuff with our IP stack, SMP, and VIMAGE would be all for naught. We do get a new pf though. Won't be a quality port though. Personally, not my #1 option. b) Merge updates from OpenBSD pf to our pf. Once again a lot of work but we do save the work we put into our pf. Once again a lot of work. We'd be introducing incompatibility. c) Do nothing. It goes without saying that pf would suffer rot and eventually we would need to do something. d) Yank pf from tree. An option but probably not a great one. We do have two other packet filters in the kernel (ipfw and ipfilter) however they are different beasts with different capabilities. I think the reason we have the packet filters we do have is for the capabilities they bring to the table. I for one have run more than one in the same kernel because each has different capabilities. e) We could add capability to pf on a piecemeal basis. Option (b) but as time permits. Remember, people have jobs and commitments. Funding would help address this. f) Finally, how does NetBSD's npf compare to OpenBSD's pf? Is it more compatible with our IP stack? Could this be an option? Anything we do should work with VIMAGE and be able to handle nat66 as well. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.