From owner-freebsd-pf@FreeBSD.ORG  Fri Jan 27 02:07:30 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CFA551065672
	for <freebsd-pf@freebsd.org>; Fri, 27 Jan 2012 02:07:30 +0000 (UTC)
	(envelope-from peterjeremy@acm.org)
Received: from fallbackmx08.syd.optusnet.com.au
	(fallbackmx08.syd.optusnet.com.au [211.29.132.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 5A77F8FC08
	for <freebsd-pf@freebsd.org>; Fri, 27 Jan 2012 02:07:29 +0000 (UTC)
Received: from mail27.syd.optusnet.com.au (mail27.syd.optusnet.com.au
	[211.29.133.168])
	by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	q0QNtmS1027907
	for <freebsd-pf@freebsd.org>; Fri, 27 Jan 2012 10:55:48 +1100
Received: from server.vk2pj.dyndns.org
	(c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103])
	by mail27.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	q0QNtjYB007863
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 27 Jan 2012 10:55:45 +1100
X-Bogosity: Ham, spamicity=0.000000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by server.vk2pj.dyndns.org (8.14.5/8.14.4) with ESMTP id q0QNticS039167;
	Fri, 27 Jan 2012 10:55:44 +1100 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.14.5/8.14.4/Submit) id q0QNtiLn039166;
	Fri, 27 Jan 2012 10:55:44 +1100 (EST) (envelope-from peter)
Date: Fri, 27 Jan 2012 10:55:43 +1100
From: Peter Jeremy <peterjeremy@acm.org>
To: Walt Elam <wrelam@gmail.com>
Message-ID: <20120126235543.GA38187@server.vk2pj.dyndns.org>
References: <CAConN+kZquK7MJ_6YPtEV=sJdqC+niRqMmp2ZgQL+o2m1wvXSQ@mail.gmail.com>
	<CAPBZQG2S9T4v_4g09mXaukG4o3_4w8h51py6-iPoA+gmsuenUw@mail.gmail.com>
	<9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local>
	<E0053250-530D-4ADA-8230-E506814E475D@lists.zabbadoz.net>
	<CAConN+ke5h3V6fponKgKc_Yc_XgQ+GXo9p_Pqqg85NKkbW158w@mail.gmail.com>
	<CAConN+kq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o"
Content-Disposition: inline
In-Reply-To: <CAConN+kq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject: Re: Getting Involved
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2012 02:07:31 -0000


--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-Jan-23 00:42:13 -0500, Walt Elam <wrelam@gmail.com> wrote:
>I searched a bit this weekend and couldn't figure out where exactly to
>download the code for OpenBSDs PF.

Unlike things like OpenSSH, PF was not developed and is not available
as a standalone, portable package.  The only way to get the code is
to checkout the relevant bits of the OpenBSD repository using one of
the methods listed under "Getting Source" on http://www.openbsd.org/

> Also, if it is all written in C, then I don't
>understand why we couldn't just install the right ports/packages and have
>the OpenBSD code work in FreeBSD. Could someone explain that, please?

PF isn't a userland application that uses (eg) POSIX standard
interfaces and just needs recompilation to work in FreeBSD.  It is
intimately linked into the network stack and relies on internal kernel
interfaces - which are not standardised.  Whilst FreeBSD and OpenBSD
are both derived from the same codebase, they have diverged over the
years and it's not possible to move arbitrary kernel code from one to
the other and have it "just work".  Specific issues with moving the PF
code include the work on virtualising and parallelising the FreeBSD
network stack whereas OpenBSD has a single-threaded network stack.  As
a minimum, you need to add a lock around the PF code - though this
would adversely impact throughput.  A more thorough port would involve
adding fine-grained locking to the PF code and adjusting some of the
datastructures to reduce cache-thrashing.

>Lastly, I didn't really understand the reason given for using the old
>syntax. Even if we focused on porting over pf 4.7 then that would
>technically be enough to get in to the new syntax for rules.

The whole problem is that the new syntax is not backward compatible
with the old syntax.  There has recently been a fairly long thread in
-hackers discussing (in part) the need for long-term stability of
interfaces.  The FreeBSD Project offers interface stability within
major versions, therefore an incompatible change in PF syntax could
not be introduced into any FreeBSD-9 or earlier branch.

It would seem a reasonable goal to port pf 4.7 (or later) into -current
so it will form part of 10.x but I can't see it appearing in 9.x.

--=20
Peter Jeremy

--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk8h5/8ACgkQ/opHv/APuIdLEgCfb1ZGsG4jdoBg27NsCLEs8eFc
kzwAoKd3QTKDYtmCkXsaORnwSYrZyOP+
=P72W
-----END PGP SIGNATURE-----

--IS0zKkzwUGydFO0o--