From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 01:57:00 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 999ED28C for ; Thu, 18 Dec 2014 01:57:00 +0000 (UTC) Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 51DBF1F3 for ; Thu, 18 Dec 2014 01:57:00 +0000 (UTC) Received: by mail-qg0-f42.google.com with SMTP id q108so217565qgd.1 for ; Wed, 17 Dec 2014 17:56:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsd.com.br; s=capeta; h=date:from:to:subject:message-id:in-reply-to:references:organization :mime-version:content-type:content-transfer-encoding; bh=luRPw0KMIoB03eXxeSbLZLTD92h/ZsbYSxVjqtk0z9A=; b=R9msQFlAQrdyzS8W8vZZh6zYuJe80SnhCgytJAC5dDXSpxPA+wMRpY4tXC/PDp7pF5 gzlD/M7nxtOPOhgCJto/SGwPk/ues/mQr1zXQlstFz6lsy7wcmczJdKmBqdAaqblBXeE z+vJ0ot6QyQ5I+Wjpbr++0qre+96ZvT8xILn0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:organization:mime-version:content-type :content-transfer-encoding; bh=luRPw0KMIoB03eXxeSbLZLTD92h/ZsbYSxVjqtk0z9A=; b=SrwbFodXOboo0thhTmXfVE/s6BdxiLLsk+Qwp5pfa3Sk/sTLwJvOZzU3aaf9CIlHOd +cdTQE6DMPk4oFdJm7I51CoDeyTxAh7rTWmyN40/bExi3ukUz5EWyMc9vwvZgEgjso0S n0C/DbodhY+9NRlvXPsopqRWY+bSQwmpcc1o4txcmrb8+JC9XkBd7MAx2XRrmV2gviZE Wzx9hUoKney0MWTuqLskrccisj8YTSLHrmQ3QRJQm/Cwc7bEAfnCbsVp4koOFklr5hur izs+TualcQqJN77SSmZYZazhd+1n+DpZaU7OWn9Tsp9uOMulazQ7Tyimprf8QpIMsLSv pWNQ== X-Gm-Message-State: ALoCoQkqXXvpWz/iADcyMSiGG197hJfDE6Z9mhCV/XCIoVg/16nloN/W7fn1pHrdlBEqNmqfc7if X-Received: by 10.224.67.132 with SMTP id r4mr18283242qai.1.1418867819250; Wed, 17 Dec 2014 17:56:59 -0800 (PST) Received: from Papi ([177.134.207.177]) by mx.google.com with ESMTPSA id l93sm5590782qge.6.2014.12.17.17.56.58 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Dec 2014 17:56:59 -0800 (PST) Date: Wed, 17 Dec 2014 22:54:57 -0300 From: Mario Lobo To: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <20141217225457.64c16404@Papi> In-Reply-To: <7be936232e96ae10d9734598014fd9d5@pyret.net> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> Organization: BSD X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 01:57:00 -0000 On Thu, 18 Dec 2014 00:43:59 +0100 Daniel Engberg wrote: > Hi, >=20 > During the year there has been several discussions regarding the > state of pf in FreeBSD. In most cases it seems to boil down to that > it's too hard/time-consuming to bring upstream patches from OpenBSD > to FreeBSD. As it's been mentioned Apple seems to update pf somewhat > (copyright is changed to 2013 at least) and file size differs between > OS X releases but I wasn't able to find any commit logs. >=20 > That said, NetBSD have something similar to pf in syntax called npf=20 > which seems actively maintained and the author seems open to the idea > of porting it to FreeBSD. > http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 > However I'm not certain that it surpasses our current pf in terms of=20 > functionality in all cases (apart from the firewalling ALTQ comes to=20 > mind etc). > Perhaps this might be worth looking into and in the end drop pf due > to the reasons above? >=20 > That said, don't forget all the work that has gone into getting pf > where it is today. > While I'm at it, does anyone else than me use ALTQ? While it's not=20 > multithreaded I find a very good "tool" and it does shaping really > well. >=20 > Best regards, > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" I think that just pf and ipfw would be more than "enough" for FBSD. I have used both but I'm more comfortable with pf's configuration than with ipfw. I have even tested ipfw filtering together with pf altq. I totally rely on pf's ALTQ at production simply because it works perfectly, no matter how complex the setup. Been using it for years now. =46rom what I have read, there are quite a few changes in openbsd pf, specially as far syntax is concerned. I'm just a user so I can only imagine the hard work involved in porting it but running the risk of making a lame comment, I would be completely satisfied if only 2 things could be implemented: SMP and fix the ALTQ limitation "bug". For everything else, I wouldn't change a thing. --=20 Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) =20 "UNIX was not designed to stop you from doing stupid things,=20 because that would also stop you from doing clever things."