Future of pf / firewall in FreeBSD ? - does it have one ?
glebius at FreeBSD.org
Fri Jul 18 11:06:55 UTC 2014
On Thu, Jul 17, 2014 at 01:12:09AM +0200, Kristian K. Nielsen wrote:
K> a) First of all - are any actively developing pf in FreeBSD?
No one right now.
K> b) We are a major release away from OpenBSD (5.6 coming soon) - is
K> following OpenBSD's pf the past? - should it be?
Following OpenBSD on features would be cool, but no bulk imports
would be made again. Bulk imports produce bad quality of port,
and also pf in OpenBSD has no multi thread support.
K> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a
K> long discussion on the pf-mailing list flamed the new syntax saying it
K> would cause FreeBSD administrators too much headache. Today on the list
K> it seems everyone wants it - so would we rather stay on a dead branch
K> than keep up with the main stream?
The pf mailing list is about a dozen of active people. Yes, they are vocal
on the new syntax. But there also exist a large number of common FreeBSD
users who simply use pf w/o caring about syntax and reading pf mailing
list. If we destroy the syntax compatibility a very large population of
users would be hurt, for the sake of making a dozen happy.
K> d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the
K> e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
We have plan on retiring the interface queues entirely. So, interfaces
would have only a transmit method. However, we could make it pluggable:
a altq_transmit is plugged in place of standard transmit. This will
keep ALTQ in system, but w/o any affect on the rest of the stack.
Very much like the pfil(9) interface cleansed up the network stack
from ipfw/ipfilter hooks.
This needs developer power, however.
K> f) IPv6 support?- it seem to be more and more challenged in the current
K> version of pf in FreeBSD and I am (as well as others) introducing more
K> and more IPv6 in networks.
K> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933,
K> which is the bug on not handling IPv6 fragments which have been open
K> since 2008 and where the workaround is necessity to leave an completely
K> open hole in your firewall ruleset to allow all fragments. According to
K> comment in the bug, this have been long gone in OpenBSD.
Yes. This hurts a lot of people and needs manpower to be solved.
K> g) Performance, can we live with pf-performance that compared to OpenBSD
K> is slower by a factor of 3 or 4, even after the multi-core support in
K> FreeBSD 10?
K> (Henning Brauer noted that in this talk at
K> http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and
K> 36:53)) - credit/Jim Thompson
I was there. Henning Brauer impudently called "a lies" a fact that was
carefully measured and provided with enough details (CPU, NIC, testing
technique, configuration), so that anyone can reproduce and check that .
In next 10 seconds Henning Brauer claimed that on a single core OpenBSD
is faster by a factor of 3 or 4, providing absolutely no test data.
Impudently crying "Lies!" achieving approving laughter from the
audience is a politian way of discussion. Uncorroborated claims,
where predictions vary by 33%, is also politian tool. Henning definitely
could made a carreer.
Scientific way of discussion is making an experiment, publishing
results and experiment details, so that anyone can reproduce.
P.S. Not speaking about who cares about single core performance today?
K> h) Bringing back patches from pfSense?
Possible if they are useful and license permits. Again, manpower required.
K> And my most important question:
K> * Should this or could this be a project for the foundation to either do
K> a summer project or funded project to bring this part of the OS up to date?
First, we need a person, then we need funding. In late 2012, when I finished
the pf-smp project, I was seeking for funding to continue. Couple negotiations
failed. Now I lost the momentum on pf and switched to other tasks, so I am
 I mean the testing made by Olivier Cochard Labbé.
More details in mailing list archives, or you can request from Olivier.
Totus tuus, Glebius.
More information about the freebsd-current