[FreeBSD 11 Wishlist] Replacing an OpenBSD Firewall
Adrian Chadd
adrian at freebsd.org
Fri Jan 2 16:53:37 UTC 2015
On 2 January 2015 at 07:41, Mark Felder <feld at freebsd.org> wrote:
> UPDATE:
>
> I have everything working except QoS, so thanks for the 6rd gif tunnel
> workaround Nathan. ALTQ being absent from GENERIC is another sore spot
> that should be investigated.
I'm waiting for Gleb to do up his ifnet changes so we can do ninja
replacements of altq with something that won't cause massive normal
performance problems even if it's not being used.
(altq isn't compatible with the if_transmit method of doing transmit
handling, so drivers that support altq end up implementing the older
if_start method - that's a single queue and simply locked. It just
doesn't work well for 10g and above.
> I've been encouraged to use ipfw and dummynet, but converting my
> firewall rules again is not something I'm enthusiastic about. I'll note
> that FreeBSD is often praised for including pf while ipfw is completely
> overlooked; our own Handbook even puts pf before ipfw. That certainly
> sends a message that we may not be intending to send and should be
> considered carefully.
Well, I bet the handbook updates were written by a pf-loving person. :)
ipfw is pretty awesome today.
-adrian
More information about the freebsd-hackers
mailing list