From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 02:05:14 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2857D492 for ; Thu, 18 Dec 2014 02:05:14 +0000 (UTC) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E4646379 for ; Thu, 18 Dec 2014 02:05:13 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id wo20so489561obc.13 for ; Wed, 17 Dec 2014 18:05:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=siB+IHEYh4evHhqWyxlwp8uGk5mlgfpRIQN305JezPY=; b=X4tLhQKxW7psueTohCsw75G7tyNzPWZOQJDRZBLDARn9VH7Ax7tzFqVvQ+bhwgCKrJ d+buekt28K+Kl/dAw7di4SHvTvvfnf4EBTHPOuUf5kh+onQKVd5v0Vb5tlHSXo229ALw ibx8iSD1j4JHgpvwLophxswmDGfIomkOcMg/nDJEI8fJRjA+7B+QPaWtX/ay2w5NFT7L FJbavw0q29v7RRkHLVu6eWGgkNSjcZ+V5P/KHefE7tSi17mMdGtG8QyrUhAcfyJ1Tr7v sImihZyjMofUx0iltsk38CugI3BNtx5js2zl/am2T5Kng2wvMfuJMgnWv2H0PzO96XE3 /w5A== X-Gm-Message-State: ALoCoQmJhh7lDtQY6jsnrxB262EODQeF6k7en1Xeqq6UePcE3+b2SDOdSahfAwmrSiwp57mAYnSm X-Received: by 10.60.96.68 with SMTP id dq4mr28265555oeb.47.1418868312230; Wed, 17 Dec 2014 18:05:12 -0800 (PST) Received: from ?IPv6:2610:160:11:33:911a:c3db:259:10bc? ([2610:160:11:33:911a:c3db:259:10bc]) by mx.google.com with ESMTPSA id k9sm2564001oev.8.2014.12.17.18.05.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 17 Dec 2014 18:05:11 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\)) Subject: Re: Alternative to pf? From: Jim Thompson In-Reply-To: <20141217225457.64c16404@Papi> Date: Wed, 17 Dec 2014 20:05:10 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <55B84D9D-B376-4EFF-8998-723A62AF5D6A@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141217225457.64c16404@Papi> To: Mario Lobo X-Mailer: Apple Mail (2.2064) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 02:05:14 -0000 > On Dec 17, 2014, at 7:54 PM, Mario Lobo wrote: >=20 > On Thu, 18 Dec 2014 00:43:59 +0100 > Daniel Engberg wrote: >=20 >> Hi, >>=20 >> During the year there has been several discussions regarding the >> state of pf in FreeBSD. In most cases it seems to boil down to that >> it's too hard/time-consuming to bring upstream patches from OpenBSD >> to FreeBSD. As it's been mentioned Apple seems to update pf somewhat >> (copyright is changed to 2013 at least) and file size differs between >> OS X releases but I wasn't able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf=20= >> which seems actively maintained and the author seems open to the idea >> of porting it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of=20= >> functionality in all cases (apart from the firewalling ALTQ comes to=20= >> mind etc). >> Perhaps this might be worth looking into and in the end drop pf due >> to the reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf >> where it is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not=20 >> multithreaded I find a very good "tool" and it does shaping really >> well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 > I think that just pf and ipfw would be more than "enough" for FBSD. I > have used both but I'm more comfortable with pf's configuration than > with ipfw. I have even tested ipfw filtering together with pf altq. I > totally rely on pf's ALTQ at production simply because it works > perfectly, no matter how complex the setup. Been using it for years = now. Even with the SMP in 10, pf is as slow as molasses in January, and 10G = interfaces are a thing now. (Someone is sure to cry, =E2=80=9Cbut I can fill a 10G interface in = front of pf!=E2=80=9D. Yes, with max-sized packets. Try it with 256 byte (or 64 byte) packets. Yup. Moreover, pf is has fundamental limitations (last match). =20 > =46rom what I have read, there are quite a few changes in openbsd pf, > specially as far syntax is concerned. I'm just a user so I can only > imagine the hard work involved in porting it but running the risk of > making a lame comment, I would be completely satisfied if only 2 = things > could be implemented: SMP and fix the ALTQ limitation "bug=E2=80=9D. FreeBSD already has SMP, and I don=E2=80=99t know what you might be = referring to as =E2=80=9CALTQ limitation =E2=80=98bug=E2=80=99=E2=80=9D. Are you saying you=E2=80=99d be =E2=80=9Ccompletely satisfied=E2=80=9D = if you had SMP support with OpenBSD or a port of OpenBSD=E2=80=99s pf to = FreeBSD, or something else?