PF bugs

Thu Jun 27 12:13:18 UTC 2013

On 25-06-2013 17:37, Gleb Smirnoff wrote:
>    Peter,
>
> On Sat, Jun 22, 2013 at 02:59:57PM +0200, Peter N. M. Hansteen wrote:
> P> > Ok.  I wish PF on FreeBSD and OpenBSD were in sync.
> P>
> P> With the differences in release schedules (OpenBSD releases N.m+1
> P> every six months, while the FreeBSD cycles typically take longer) a
> P> total sync is unlikely, but it would save some of us a bit of
> P> maintenance work if FreeBSD finally made the jump to post-OpenBSD 4.7
> P> syntax and various 4.5 and onwards goodies like match, pflow and a few
> P> other.
>
>    The number of people who run both OpenBSD and FreeBSD is signficantly
> less then number of people who just run FreeBSD and routinely upgrade
> it from version to version. I understand that having different syntax
> is a PITA for those who run both BSDs, sorry for that.

This is a PITA for _everyone_ who has ever tried googling some
syntax or found a tutorial for pf online. Or read Peter
Hansteens excellent books. Or spoken to someone at a
conference only to find out that his suggestion doesn't apply.

To think that the FreeBSD handbook alone can serve as documentation
for the FreeBSD version of pf is just silly. A well-functioning
community around something like pf produces lots and lots of
documentation, best practices, examples of complicated setups,
blogposts, etc. etc.

I see only two solutions to this: the preferred solution is to change
FreeBSD pf to match OpenBSD pf ruleset syntax and features. This
would mean that we would keep the OpenBSD and FreeBSD pf communities
"in sync" and people could still use the same information regardless
of OS.

The other solution is to rename pf in FreeBSD to something else,
like fpf or whatever, to make it clear to everyone that they are
not the same. This would mean that we (FreeBSD) would have to grow
a new community around fpf. But it would make it possible to google
examples and stuff again, without hitting irrelevant OpenBSD stuff.

Let me repeat to make it perfectly clear: The current situation with
two very different firewalls with the same name only serves to
confuse and frustrate users. If aligning syntax and functionality
is too much work, or impossible for other reasons, a rename
of "our" pf is the only right thing to do.

> But changing
> syntax in FreeBSD would be PITA for a vast majority of people. That's
> why many FreeBSD developers are against changing syntax.

I've seen this argument over and over again. We can't just stop
progress because it would be inconvenient for people. At some
point (and IMO that point is way in the past) we have to conclude
that the advantages outweigh the disadvantages, and just do it.

Best regards,

Thomas Steen Rasmussen