Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jan 2012 10:55:43 +1100
From:      Peter Jeremy <peterjeremy@acm.org>
To:        Walt Elam <wrelam@gmail.com>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: Getting Involved
Message-ID:  <20120126235543.GA38187@server.vk2pj.dyndns.org>
In-Reply-To: <CAConN%2Bkq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com>
References:  <CAConN%2BkZquK7MJ_6YPtEV=sJdqC%2BniRqMmp2ZgQL%2Bo2m1wvXSQ@mail.gmail.com> <CAPBZQG2S9T4v_4g09mXaukG4o3_4w8h51py6-iPoA%2BgmsuenUw@mail.gmail.com> <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <E0053250-530D-4ADA-8230-E506814E475D@lists.zabbadoz.net> <CAConN%2Bke5h3V6fponKgKc_Yc_XgQ%2BGXo9p_Pqqg85NKkbW158w@mail.gmail.com> <CAConN%2Bkq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-Jan-23 00:42:13 -0500, Walt Elam <wrelam@gmail.com> wrote:
>I searched a bit this weekend and couldn't figure out where exactly to
>download the code for OpenBSDs PF.

Unlike things like OpenSSH, PF was not developed and is not available
as a standalone, portable package.  The only way to get the code is
to checkout the relevant bits of the OpenBSD repository using one of
the methods listed under "Getting Source" on http://www.openbsd.org/

> Also, if it is all written in C, then I don't
>understand why we couldn't just install the right ports/packages and have
>the OpenBSD code work in FreeBSD. Could someone explain that, please?

PF isn't a userland application that uses (eg) POSIX standard
interfaces and just needs recompilation to work in FreeBSD.  It is
intimately linked into the network stack and relies on internal kernel
interfaces - which are not standardised.  Whilst FreeBSD and OpenBSD
are both derived from the same codebase, they have diverged over the
years and it's not possible to move arbitrary kernel code from one to
the other and have it "just work".  Specific issues with moving the PF
code include the work on virtualising and parallelising the FreeBSD
network stack whereas OpenBSD has a single-threaded network stack.  As
a minimum, you need to add a lock around the PF code - though this
would adversely impact throughput.  A more thorough port would involve
adding fine-grained locking to the PF code and adjusting some of the
datastructures to reduce cache-thrashing.

>Lastly, I didn't really understand the reason given for using the old
>syntax. Even if we focused on porting over pf 4.7 then that would
>technically be enough to get in to the new syntax for rules.

The whole problem is that the new syntax is not backward compatible
with the old syntax.  There has recently been a fairly long thread in
-hackers discussing (in part) the need for long-term stability of
interfaces.  The FreeBSD Project offers interface stability within
major versions, therefore an incompatible change in PF syntax could
not be introduced into any FreeBSD-9 or earlier branch.

It would seem a reasonable goal to port pf 4.7 (or later) into -current
so it will form part of 10.x but I can't see it appearing in 9.x.

--=20
Peter Jeremy

--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk8h5/8ACgkQ/opHv/APuIdLEgCfb1ZGsG4jdoBg27NsCLEs8eFc
kzwAoKd3QTKDYtmCkXsaORnwSYrZyOP+
=P72W
-----END PGP SIGNATURE-----

--IS0zKkzwUGydFO0o--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120126235543.GA38187>