From owner-freebsd-questions@FreeBSD.ORG Fri Jul 25 19:42:41 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 655D53C8; Fri, 25 Jul 2014 19:42:41 +0000 (UTC) Received: from idcmail-mo2no.shaw.ca (idcmail-mo2no.shaw.ca [64.59.134.9]) by mx1.freebsd.org (Postfix) with ESMTP id 2054C262E; Fri, 25 Jul 2014 19:42:40 +0000 (UTC) X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=PyywdG1hhzAAEaY8aZXFLtMUnlqk6chnja1kir+Tqrg= c=1 sm=1 a=cQ5pcHtl6RgA:10 a=QrugwKR0C_UA:10 a=wAGQQ9Az6v0A:10 a=BLceEmwcHowA:10 a=ICAaq7hcmGcA:10 a=kj9zAlcOel0A:10 a=IbtKDeXwb2+SRU442/pi3A==:17 a=TQf1RjA6AAAA:8 a=BWvPGDcYAAAA:8 a=6I5d2MoRAAAA:8 a=qUHAj0C30p8RyJ7GzysA:9 a=CjuIK1q_8ugA:10 a=XYlxyNO1GmcA:10 a=nLNdtIfjiDMA:10 a=V7tsTZBp22UA:10 a=SV7veod9ZcQA:10 a=hkJOn7fyG5ZauHrd:21 a=q2OYaSsIqhtQz_Cg:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO spqr.komquats.com) ([96.50.7.119]) by idcmail-mo2no.shaw.ca with ESMTP; 25 Jul 2014 13:42:33 -0600 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTP id B6E28A4AF; Fri, 25 Jul 2014 12:42:32 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.14.9/8.14.9) with ESMTP id s6PJCVZL003786; Fri, 25 Jul 2014 12:12:31 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.14.9/8.14.8/Submit) with ESMTP id s6PHr1Pd099607; Fri, 25 Jul 2014 10:53:02 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <201407251753.s6PHr1Pd099607@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Fbsd8 Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: Message from Fbsd8 of "Wed, 23 Jul 2014 17:05:33 -0400." <53D0239D.1050906@a1poweruser.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 25 Jul 2014 10:52:48 -0700 X-Mailman-Approved-At: Fri, 25 Jul 2014 19:59:32 +0000 Cc: Cy Schubert , Maxim Khitrov , "Andrey V. Elsukov" , FreeBSD Mailing List , freebsd-current@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 19:42:41 -0000 Sorry for the late reply. It's a busy time right now. In message <53D0239D.1050906@a1poweruser.com>, Fbsd8 writes: > Cy Schubert wrote: > >> On 20.07.2014 18:15, Maxim Khitrov wrote: > >>> In my opinion, the way forward is to forget (at least temporarily) the > >>> SMP changes, bring pf in sync with OpenBSD, put a policy in place to > >>> follow their releases as closely as possible, and then try to > >>> reintroduce all the SMP work. I think the latter has to be done > >>> upstream, otherwise it'll always be a story of diverging codebases. > >>> Furthermore, if FreeBSD developers were willing to spend some time > >>> improving pf performance on OpenBSD, then Henning and other OpenBSD > >>> developers might be more receptive to changes that make the porting > >>> process easier. > >> Even if you just drop current PF from FreeBSD, there is nobody, who want > >> to port new PF from OpenBSD. And this is not easy task, as you may > >> think. Gleb has worked on rewriting PF more than half year. So, return > >> back all improvements after import will be hard enough and, again, > >> nobody want to do it. :) > > > > One way or another something needs to be done and agreed it would be a lot > > of work. Our options are, > > > > a) Import OpenBSD pf thereby throwing away our current investment in pf. > > All our work to get it up to snuff with our IP stack, SMP, and VIMAGE would > > > be all for naught. We do get a new pf though. Won't be a quality port > > though. Personally, not my #1 option. > > > > b) Merge updates from OpenBSD pf to our pf. Once again a lot of work but we > > > do save the work we put into our pf. Once again a lot of work. We'd be > > introducing incompatibility. > > > > c) Do nothing. It goes without saying that pf would suffer rot and > > eventually we would need to do something. > > > > d) Yank pf from tree. An option but probably not a great one. We do have > > two other packet filters in the kernel (ipfw and ipfilter) however they are > > > different beasts with different capabilities. I think the reason we have > > the packet filters we do have is for the capabilities they bring to the > > table. I for one have run more than one in the same kernel because each has > > > different capabilities. > > > > e) We could add capability to pf on a piecemeal basis. Option (b) but as > > time permits. Remember, people have jobs and commitments. Funding would > > help address this. > > > > f) Finally, how does NetBSD's npf compare to OpenBSD's pf? Is it more > > compatible with our IP stack? Could this be an option? > > > > Anything we do should work with VIMAGE and be able to handle nat66 as well. > > > > > > Hello Cy; > Finally a voice I recognize. If I remember correctly you stepped up to > the plate earlier this year and did for ipfilter the same kind of things Last autumn. > this thread is talking about for pf. IE; apply upstream maintenance and > convert to FreeBSD standards. I think your work was a BSD fork of > Darrow's ipfilter which from this point on all upstream maintenance must > be hand merged into the BSD fork. I am a long time ipfilter user and Actually we did not fork ipfilter. It's simply included into our tree, with a few modifications. > thank you for your dedication and work ethics getting the updated > ipfilter into 10.0 and 9.3 so quickly. You're welcome. I too am a long time ipfilter user (Solaris and FreeBSD). > > So as someone who has been there and done that already you have unique > experience to really know the size of the task in hours to accomplish a > pf upgrade. Could you list the tasks and hours it took you to perform > the ipfilter upgrade so readers can have a real insight into what they > are asking for? The experience is not unique. Every developer pretty much follows the same process when importing code into the tree. As for tasks, the ipfilter import was relatively simple compared to some others. Remember, ipfilter was designed to be run on any of the BSDs, SunOS, Solaris, and HP/UX, IRIX, and Tru64 UNIX. That made upgrading from 4.1.28 to 5.1.2 simpler than pf which is written only for OpenBSD and its stack. > > I agree with your option "e" above, but I would re-word it this way. > Using the pf fork we already have in place, hand merge upstream > differences in piecemeal chunks as time permits. The openbsd new syntax > being the first chunk, closely followed by VIMAGE awareness. Personally I would choose option "e" because of $JOB and $FAMILY commitments. Adding the new OpenBSD syntax may be more difficult than we might think. The new syntax may be related to a new internal structure of pf. If the new pf is a rewrite (ipfilter 5.1.2 was a rewrite of large chunks of code), then you have no option but to do a wholesale import and retrofit our mods back into it, if they would even fit at all. I think the first task for anyone taking this on would be to familiarize oneself with the current pf code in FreeBSD and what was done to make it fit and to enhance it, then familiarize oneself with the new pf to get a feel for what work would be involved. > > When it comes to someone volunteering to do the work, many of us would > step up, but the fact is only a very very few people have the coding and > kernel knowledge to even consider doing this. Understanding the FreeBSD kernel helps but if a person doesn't have intimate knowledge of the FreeBSD kernel, you can always learn. There are some good books out there to help along the way. The Design and Implementation of the FreeBSD Kernel and Writing FreeBSD Device Drivers are two good examples. Of course having intimate knowledge is better but having worked on other kernels and understanding the nature of the beast goes a long way to working on any systems programming project, not just FreeBSD. If you understand how kernels generally operate you're more than half way there to volunteering and help out -- submit code and someone more senior on the project can take it from there and help out with the effort. (Once again, many hands make light work.) I don't think people should feel afraid of systems programming (kernel programming). The reason Linux gets so much more traction in any particular area of development is because they have many more people working on it. I would like to see more people pitch in and help out. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.