Future of pf / firewall in FreeBSD ? - does it have one ?
Peter Wemm
peter at wemm.org
Sun Jul 20 02:59:28 UTC 2014
On Saturday 19 July 2014 13:06:52 Baptiste Daroussin wrote:
> On Fri, Jul 18, 2014 at 03:22:18PM -0400, Allan Jude wrote:
> > On 2014-07-18 15:07, Adrian Chadd wrote:
> > > On 18 July 2014 07:34, krad <kraduk at gmail.com> wrote:
> > >> that is true and I have not problem using man pages, however thats not
> > >> the
> > >> way most of the world work and search engines arent exactly new either.
> > >> We
> > >> should be trying to engage more people not less, and part of that is
> > >> reaching out.
> > >
> > > Then do the port and maintain it.
> > >
> > > The problem isn't the desire to keep things up to date, it's a lack of
> > > people who want that _and_ are willing/able to do it _and_ are funded
> > > somehow.
> > >
> > > So, please step up! We'll all love you for it.
> > >
> > >
> > >
> > > -a
> > > _______________________________________________
> > > freebsd-current at freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-current
> > > To unsubscribe, send any mail to
> > > "freebsd-current-unsubscribe at freebsd.org"
> >
> > At vBSDCon Bapt@ volunteered to port the newer pf back to FreeBSD, after
> > spending some hours driving with Henning.
>
> I tried and broke pf for month and my changes have been reverted, this is
> not as simple as it looks like, our code as diverge a lot in some part and
> we do support things that openbsd does not (vimage). Sync features requires
> us to be very careful, my priorities went elsewhere since that time, so now
> I will probably only focus on bringing features I care about, and not the
> entirely new pf.
>
> So no do not count me as volunteer to maintain pf, I ll probably do some
> work but not a full sync.
If anyone is looking for a really useful chunk to work on, please go back over
the pf history in openbsd and find where they added ipv6 fragment support. It
was fairly well contained and didn't appear to be a big deal to port. They
did do something with mbuf tags that I'm suspicious of though.
IPv6 fragments are the biggest pain point we have on the freebsd.org cluster -
yes, we use pf and IPv6 extensively, but dns with ipv6 involved is really
painful without fragment support.
We sort-of work around it by using dedicated IPv6 address that has nothing but
the dns resolver clients and allow ipv6 fragments to it. Its not ideal but
it gets over the worst problems.
The other thing we had to do for usability is stop state tracking for udp dns
- the sheer update rate was causing collisions and state drops / resets of
other connections to the point of being really hard to use.
Those two tweaks - stopping heavy dns use from thrashing the state tables, and
having a safe place to send fragments makes it quite usable for freebsd.org.
But, lack of ipv6 fragment processing still causes ongoing pain. That's our
#1 wish list item for the cluster.
--
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140719/a18e24f5/attachment.sig>
More information about the freebsd-current
mailing list