Plans for 6-CURRENT and 5-STABLE

Max Laier max at love2party.net
Sun Oct 17 16:02:25 PDT 2004 

All,

[Attention: Long mail - lot of babbling]

now that RELENG_5_3 has been cut and FreeBSD 5.3 - the first release to ship 
with PF - is about to leave the door. It's time to talk about the future 
direction on PF development within FreeBSD. I'd like to share some of the 
plans I have in mind and the anticipated schedule for them.

One of the more serious problems we have to address is how (and if) we stay in 
sync with OpenBSD. As far as I understand it is suggested not to change any 
kernel <-> userland API/ABI during a -STABLE cycle. This effectively means 
that we can *not* track OpenBSD releases in -STABLE since they tend to change 
API/ABI a lot. I think, however, that PF as of OpenBSD 3.5 (the one we have 
now as part of 5-STABLE) is already very mature and will serve well for the 
coming <2 years until we will move on to 6-STABLE.

There are some FreeBSD specific things that need improvement and clean up. 
This is the first task that I will work on in 6-CURRENT starting from now. 

Most prominently this includes the interface handling. There are some open 
problems to be addressed, such as the inability to recognize renamed 
interfaces as well as problems around 6to4. The hotfix for the interface 
renaming that I posted here a while ago (and was not tested :-( ) causes some 
problems with unloading the module and hence has not been committed. There is 
some more fundamental cleaning to be done in that part of the code.

Together with the cleaning I will address the way we handle the PF modules at 
the moment. It should be possible to load pflog/pfsync as individual modules. 
It is yet unclear if that is possible without impacts on the performance so 
we will consider this very carefully.

Another big thing on the plate now, is a shared/exclusive lock semantic for 
the ruleset evaluation. This will not only speed things up by quite a bit, 
but will also resolve the requirement to run with mpsafenet=0 if one wants to 
use user/group based filter rules. Preliminary patches have been on the list 
some time ago, but there are serious shortcomings and we will have to take 
this back to the blueprint planning to make it as good as we want it to be.

All these projects will be merged into 5-STABLE once they have proven in HEAD.

Other than that, we will resume tracking OpenBSD releases once (some of) the 
above tasks have been completed. If we catch up on OpenBSD 3.6 in HEAD it 
will only complicate the testing of these changes. At the same time we will 
start to work on some FreeBSD specific features, but this has a low(er) 
priority for the moment. It seems that pf development has reached a point of 
maturity and will not gain too much new features in the next releases of 
OpenBSD. There are some interesting cleanups and improvements of existing 
infrastructure, but the main capabilities seem to have settled.

Thanks for reading so far, please let me know your thoughts, concerns and 
questions.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041018/6a2c5d83/attachment.bin

More information about the freebsd-pf mailing list