Date: Fri, 27 Jan 2012 10:55:43 +1100 From: Peter Jeremy <peterjeremy@acm.org> To: Walt Elam <wrelam@gmail.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Getting Involved Message-ID: <20120126235543.GA38187@server.vk2pj.dyndns.org> In-Reply-To: <CAConN%2Bkq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com> References: <CAConN%2BkZquK7MJ_6YPtEV=sJdqC%2BniRqMmp2ZgQL%2Bo2m1wvXSQ@mail.gmail.com> <CAPBZQG2S9T4v_4g09mXaukG4o3_4w8h51py6-iPoA%2BgmsuenUw@mail.gmail.com> <9EB23F6C23A8B6488E8BCC92A48E832612A5BC03A9@PEMEXMBXVS04.jellyfishnet.co.uk.local> <E0053250-530D-4ADA-8230-E506814E475D@lists.zabbadoz.net> <CAConN%2Bke5h3V6fponKgKc_Yc_XgQ%2BGXo9p_Pqqg85NKkbW158w@mail.gmail.com> <CAConN%2Bkq8kHZGNUHP9vgZDNYbQWVAcWRsWS89iXASffsPDMCEg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Jan-23 00:42:13 -0500, Walt Elam <wrelam@gmail.com> wrote: >I searched a bit this weekend and couldn't figure out where exactly to >download the code for OpenBSDs PF. Unlike things like OpenSSH, PF was not developed and is not available as a standalone, portable package. The only way to get the code is to checkout the relevant bits of the OpenBSD repository using one of the methods listed under "Getting Source" on http://www.openbsd.org/ > Also, if it is all written in C, then I don't >understand why we couldn't just install the right ports/packages and have >the OpenBSD code work in FreeBSD. Could someone explain that, please? PF isn't a userland application that uses (eg) POSIX standard interfaces and just needs recompilation to work in FreeBSD. It is intimately linked into the network stack and relies on internal kernel interfaces - which are not standardised. Whilst FreeBSD and OpenBSD are both derived from the same codebase, they have diverged over the years and it's not possible to move arbitrary kernel code from one to the other and have it "just work". Specific issues with moving the PF code include the work on virtualising and parallelising the FreeBSD network stack whereas OpenBSD has a single-threaded network stack. As a minimum, you need to add a lock around the PF code - though this would adversely impact throughput. A more thorough port would involve adding fine-grained locking to the PF code and adjusting some of the datastructures to reduce cache-thrashing. >Lastly, I didn't really understand the reason given for using the old >syntax. Even if we focused on porting over pf 4.7 then that would >technically be enough to get in to the new syntax for rules. The whole problem is that the new syntax is not backward compatible with the old syntax. There has recently been a fairly long thread in -hackers discussing (in part) the need for long-term stability of interfaces. The FreeBSD Project offers interface stability within major versions, therefore an incompatible change in PF syntax could not be introduced into any FreeBSD-9 or earlier branch. It would seem a reasonable goal to port pf 4.7 (or later) into -current so it will form part of 10.x but I can't see it appearing in 9.x. --=20 Peter Jeremy --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8h5/8ACgkQ/opHv/APuIdLEgCfb1ZGsG4jdoBg27NsCLEs8eFc kzwAoKd3QTKDYtmCkXsaORnwSYrZyOP+ =P72W -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120126235543.GA38187>