Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 Sep 2012 13:02:39 +0200
From:      =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To:        Ian FREISLICH <ianf@clue.co.za>
Cc:        pf@freebsd.org
Subject:   Re: [HEADS UP] merging projects/pf into head
Message-ID:  <CAPBZQG2b1AAdNBT9NVve8kzzxF%2Bu2T5Kgs10jO92nmZegvWebw@mail.gmail.com>
In-Reply-To: <E1T9upR-0000bK-SI@clue.co.za>
References:  <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <CAPBZQG0a4WVB4W4OwF3CAJH-G4DTDan-Nz1HR1SFAgFOfe%2Ba=Q@mail.gmail.com> <20120906064640.GL15915@glebius.int.ru> <CAPBZQG1iQ31bxMkKOKUUFpfOt15YMxgx1hmnj3HsQSj%2B%2BGJYqw@mail.gmail.com> <E1T9upR-0000bK-SI@clue.co.za>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello Ian,

On Fri, Sep 7, 2012 at 11:26 AM, Ian FREISLICH <ianf@clue.co.za> wrote:
>> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The
>> > OpenBSD-pf port have proved to be poorly maintained. After last
>> > import that was made by you, at least the following regressions were
>> > introduced:
>> >
>> > - enabling pfsync immediately panics
>> > - kldunload pf.ko immediately panics
>>
>> Going to personal attacks shows your willing to discuss as civilized
>> person.  Though that does not mean anything in the sense that bugs are
>> there to be found by testers.
>
> I don't think Gleb is is being personal about this.  Facts are
> facts and pf is currently unusable for me, even at home because
> of spuriously dropped packets.
>

I have missed this in the freebsd-pf lists!
I know of many things to be fixed in general in pf(4), since i mostly
fixed them already for pfSense.
Pushing some of those fixes in FreeBSD has mostly been delayed from
$WORK or workflow to follow for putting those fixes in FreeBSD.
FYI, i still have maintainer approval to go through.

> From my point of view as a user, the FreeBSD pf port is unmaintained.
> I'm sorry if you find this observation offensive.  It seems like
> only fixes available are to import a new pf from OpenBSD.  There
> are structural issues that need to be addressed to make it work
> properly on FreeBSD and Gleb has done that.
>
This problem is not very related to this since there is no improvement
in this regard from what Gleb proposes.

> We're stuggling with an issue that appears to be a "forever problem"
> - the "pf: state key linking mismatch" which affects pf as far back
> as we've been prepared to test (FreeBSD-8.0).  Although it only
> became visible in the logs in -CURRENT before 9-RELEASE with the
> pf import then.  It manifests as connections stalling randomly.
>
This has been an issue since new pf(4) import.
It mostly comes from mbuf reuse and not proper cleanup of mbuf tags.
Some fixes were done already in FreeBSD some come from Gleb commit of
making pf(4) tags persistent,
some have yet to be found.

> There's not been a fix since it was first reported.  We're seeing
> 0.08% of our connections dropped on the floor or about 4 per second.
> As a result, we've been seriously considering replacing our FreeBSD
> routers.

I have missed the report of this, can you point to details?

>
>> If you have not found out yet, testers for something that people take
>> for granted as firewalls are scarce in general.
>
> Testing this stuff is hard because it's very difficult to simulate
> a production environment outside of the production environment.
> People generally don't want production to break.
>
> Ian
>
> --
> Ian Freislich



-- 
Ermal



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG2b1AAdNBT9NVve8kzzxF%2Bu2T5Kgs10jO92nmZegvWebw>