Plans for 6-CURRENT and 5-STABLE
Max Laier
max at love2party.net
Sun Oct 17 16:02:25 PDT 2004
All,
[Attention: Long mail - lot of babbling]
now that RELENG_5_3 has been cut and FreeBSD 5.3 - the first release to ship
with PF - is about to leave the door. It's time to talk about the future
direction on PF development within FreeBSD. I'd like to share some of the
plans I have in mind and the anticipated schedule for them.
One of the more serious problems we have to address is how (and if) we stay in
sync with OpenBSD. As far as I understand it is suggested not to change any
kernel <-> userland API/ABI during a -STABLE cycle. This effectively means
that we can *not* track OpenBSD releases in -STABLE since they tend to change
API/ABI a lot. I think, however, that PF as of OpenBSD 3.5 (the one we have
now as part of 5-STABLE) is already very mature and will serve well for the
coming <2 years until we will move on to 6-STABLE.
There are some FreeBSD specific things that need improvement and clean up.
This is the first task that I will work on in 6-CURRENT starting from now.
Most prominently this includes the interface handling. There are some open
problems to be addressed, such as the inability to recognize renamed
interfaces as well as problems around 6to4. The hotfix for the interface
renaming that I posted here a while ago (and was not tested :-( ) causes some
problems with unloading the module and hence has not been committed. There is
some more fundamental cleaning to be done in that part of the code.
Together with the cleaning I will address the way we handle the PF modules at
the moment. It should be possible to load pflog/pfsync as individual modules.
It is yet unclear if that is possible without impacts on the performance so
we will consider this very carefully.
Another big thing on the plate now, is a shared/exclusive lock semantic for
the ruleset evaluation. This will not only speed things up by quite a bit,
but will also resolve the requirement to run with mpsafenet=0 if one wants to
use user/group based filter rules. Preliminary patches have been on the list
some time ago, but there are serious shortcomings and we will have to take
this back to the blueprint planning to make it as good as we want it to be.
All these projects will be merged into 5-STABLE once they have proven in HEAD.
Other than that, we will resume tracking OpenBSD releases once (some of) the
above tasks have been completed. If we catch up on OpenBSD 3.6 in HEAD it
will only complicate the testing of these changes. At the same time we will
start to work on some FreeBSD specific features, but this has a low(er)
priority for the moment. It seems that pf development has reached a point of
maturity and will not gain too much new features in the next releases of
OpenBSD. There are some interesting cleanups and improvements of existing
infrastructure, but the main capabilities seem to have settled.
Thanks for reading so far, please let me know your thoughts, concerns and
questions.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041018/6a2c5d83/attachment.bin
More information about the freebsd-pf
mailing list