Date: Fri, 07 Sep 2012 11:26:21 +0200 From: Ian FREISLICH <ianf@clue.co.za> To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head Message-ID: <E1T9upR-0000bK-SI@clue.co.za> In-Reply-To: <CAPBZQG1iQ31bxMkKOKUUFpfOt15YMxgx1hmnj3HsQSj%2B%2BGJYqw@mail.gmail.com> References: <CAPBZQG1iQ31bxMkKOKUUFpfOt15YMxgx1hmnj3HsQSj%2B%2BGJYqw@mail.gmail.com> <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <CAPBZQG0a4WVB4W4OwF3CAJH-G4DTDan-Nz1HR1SFAgFOfe%2Ba=Q@mail.gmail.com> <20120906064640.GL15915@glebius.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The > > OpenBSD-pf port have proved to be poorly maintained. After last > > import that was made by you, at least the following regressions were > > introduced: > > > > - enabling pfsync immediately panics > > - kldunload pf.ko immediately panics > > Going to personal attacks shows your willing to discuss as civilized > person. Though that does not mean anything in the sense that bugs are > there to be found by testers. I don't think Gleb is is being personal about this. Facts are facts and pf is currently unusable for me, even at home because of spuriously dropped packets. >From my point of view as a user, the FreeBSD pf port is unmaintained. I'm sorry if you find this observation offensive. It seems like only fixes available are to import a new pf from OpenBSD. There are structural issues that need to be addressed to make it work properly on FreeBSD and Gleb has done that. We're stuggling with an issue that appears to be a "forever problem" - the "pf: state key linking mismatch" which affects pf as far back as we've been prepared to test (FreeBSD-8.0). Although it only became visible in the logs in -CURRENT before 9-RELEASE with the pf import then. It manifests as connections stalling randomly. There's not been a fix since it was first reported. We're seeing 0.08% of our connections dropped on the floor or about 4 per second. As a result, we've been seriously considering replacing our FreeBSD routers. > If you have not found out yet, testers for something that people take > for granted as firewalls are scarce in general. Testing this stuff is hard because it's very difficult to simulate a production environment outside of the production environment. People generally don't want production to break. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1T9upR-0000bK-SI>