From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 11:02:42 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11E4C106564A; Fri, 7 Sep 2012 11:02:42 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 58E7D8FC0A; Fri, 7 Sep 2012 11:02:40 +0000 (UTC) Received: by bkcje9 with SMTP id je9so1425035bkc.13 for ; Fri, 07 Sep 2012 04:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=zKH0iecPgfuMiDnd5rczohO4TqY9KlAk/YeND6/DawA=; b=0nIvL6747SZSyuwuQWKCVDRTOlvGYecAJkM7iihbGnF8RvyJBuwkv0KbxdAfzHoYM1 bQHeamrKndF7AL35JDvMXXWDmz7d3c+4hHBWrrbL1ArXFBUrS7J2S4HHDhYyVDj//jM6 nndCBIFVldBO8RExLc9+ELtjC+EFAxCO6ITF/0zmq84UbpO52K8d8HXFVu51LVuTJl5q +5sW7tI9vyuAARbx509qrDNvG80/HYu3Z1KysJi/0sMwa+QRoZFzuVH1gHl4oyNisyLN i4q4vZosghGROaHGh7ux5jXY960J0ayU+uASzgBs7yIfmWdr7nvoZ6nCMa4fXK3pGh0G CNmA== MIME-Version: 1.0 Received: by 10.205.126.15 with SMTP id gu15mr2380254bkc.134.1347015759204; Fri, 07 Sep 2012 04:02:39 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.204.48.194 with HTTP; Fri, 7 Sep 2012 04:02:39 -0700 (PDT) In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> Date: Fri, 7 Sep 2012 13:02:39 +0200 X-Google-Sender-Auth: OytfGPVJVoeOkldooxNkmriA25k Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Ian FREISLICH Content-Type: text/plain; charset=ISO-8859-1 Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 11:02:42 -0000 Hello Ian, On Fri, Sep 7, 2012 at 11:26 AM, Ian FREISLICH wrote: >> > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The >> > OpenBSD-pf port have proved to be poorly maintained. After last >> > import that was made by you, at least the following regressions were >> > introduced: >> > >> > - enabling pfsync immediately panics >> > - kldunload pf.ko immediately panics >> >> Going to personal attacks shows your willing to discuss as civilized >> person. Though that does not mean anything in the sense that bugs are >> there to be found by testers. > > I don't think Gleb is is being personal about this. Facts are > facts and pf is currently unusable for me, even at home because > of spuriously dropped packets. > I have missed this in the freebsd-pf lists! I know of many things to be fixed in general in pf(4), since i mostly fixed them already for pfSense. Pushing some of those fixes in FreeBSD has mostly been delayed from $WORK or workflow to follow for putting those fixes in FreeBSD. FYI, i still have maintainer approval to go through. > From my point of view as a user, the FreeBSD pf port is unmaintained. > I'm sorry if you find this observation offensive. It seems like > only fixes available are to import a new pf from OpenBSD. There > are structural issues that need to be addressed to make it work > properly on FreeBSD and Gleb has done that. > This problem is not very related to this since there is no improvement in this regard from what Gleb proposes. > We're stuggling with an issue that appears to be a "forever problem" > - the "pf: state key linking mismatch" which affects pf as far back > as we've been prepared to test (FreeBSD-8.0). Although it only > became visible in the logs in -CURRENT before 9-RELEASE with the > pf import then. It manifests as connections stalling randomly. > This has been an issue since new pf(4) import. It mostly comes from mbuf reuse and not proper cleanup of mbuf tags. Some fixes were done already in FreeBSD some come from Gleb commit of making pf(4) tags persistent, some have yet to be found. > There's not been a fix since it was first reported. We're seeing > 0.08% of our connections dropped on the floor or about 4 per second. > As a result, we've been seriously considering replacing our FreeBSD > routers. I have missed the report of this, can you point to details? > >> If you have not found out yet, testers for something that people take >> for granted as firewalls are scarce in general. > > Testing this stuff is hard because it's very difficult to simulate > a production environment outside of the production environment. > People generally don't want production to break. > > Ian > > -- > Ian Freislich -- Ermal