Alternative to pf?

Thu Dec 18 02:05:14 UTC 2014

> On Dec 17, 2014, at 7:54 PM, Mario Lobo <lobo at bsd.com.br> wrote:
> 
> On Thu, 18 Dec 2014 00:43:59 +0100
> Daniel Engberg <daniel.engberg.lists at pyret.net> wrote:
> 
>> Hi,
>> 
>> During the year there has been several discussions regarding the
>> state of pf in FreeBSD. In most cases it seems to boil down to that
>> it's too hard/time-consuming to bring upstream patches from OpenBSD
>> to FreeBSD. As it's been mentioned Apple seems to update pf somewhat
>> (copyright is changed to 2013 at least) and file size differs between
>> OS X releases but I wasn't able to find any commit logs.
>> 
>> That said, NetBSD have something similar to pf in syntax called npf 
>> which seems actively maintained and the author seems open to the idea
>> of porting it to FreeBSD.
>> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24
>> However I'm not certain that it surpasses our current pf in terms of 
>> functionality in all cases (apart from the firewalling ALTQ comes to 
>> mind etc).
>> Perhaps this might be worth looking into and in the end drop pf due
>> to the reasons above?
>> 
>> That said, don't forget all the work that has gone into getting pf
>> where it is today.
>> While I'm at it, does anyone else than me use ALTQ? While it's not 
>> multithreaded I find a very good "tool" and it does shaping really
>> well.
>> 
>> Best regards,
>> Daniel
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
> 
> I think that just pf and ipfw would be more than "enough" for FBSD. I
> have used both but I'm more comfortable with pf's configuration than
> with ipfw. I have even tested ipfw filtering together with pf altq. I
> totally rely on pf's ALTQ at production simply because it works
> perfectly, no matter how complex the setup. Been using it for years now.

Even with the SMP in 10, pf is as slow as molasses in January, and 10G interfaces are a thing now.

(Someone is sure to cry, “but I can fill a 10G interface in front of pf!”.  Yes, with max-sized packets.
Try it with 256 byte (or 64 byte) packets.  Yup.

Moreover, pf is has fundamental limitations (last match).  

> From what I have read, there are quite a few changes in openbsd pf,
> specially as far syntax is concerned. I'm just a user so I can only
> imagine the hard work involved in porting it but running the risk of
> making a lame comment, I would be completely satisfied if only 2 things
> could be implemented: SMP and fix the ALTQ limitation "bug”.

FreeBSD already has SMP, and I don’t know what you might be referring to as “ALTQ limitation ‘bug’”.

Are you saying you’d be “completely satisfied” if you had SMP support with OpenBSD or a port of OpenBSD’s pf to FreeBSD,
or something else?