svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl
Rodney W. Grimes
freebsd-rwg at gndrsh.dnsmgr.net
Mon Apr 1 21:06:14 UTC 2019
> On 1 Apr 2019, at 18:47, Rodney W. Grimes wrote:
> > I know for a fact that there is desire, with financials avaliable,
> > to get our code updated. I do not think there is any specific
> > criteria desired, other than moved closer to the OpenBSD version.
> >
> It?s a good goal, but there are three major issues along the way to
> importing the latest OpenBSD version. (And I?m sure a whole bunch of
> smaller ones.)
This is a grand start, thank you for providing this input to the
process.
> Those are:
>
> - scalability
> - syntax
> - vimage
>
> The scalability issue is the obvious difference: OpenBSD?s pf is still
> very much single-core oriented, whereas the FreeBSD pf version can cope
> with multiple cores (somewhat) and is significantly faster on multicore
> hardware. Our version is by no means perfect, but it?s much faster
> than OpenBSD?s version. Much of the imperfections we have now is there
> because pf was designed in a giant locked kernel in the first place.
> Multi-core scalability was not part of its original design.
>
> Adopting OpenBSDs pf would mean redoing all of the locking work Gleb did
> years ago. Given the differences in OpenBSD?s pf (e.g. they keep
> states in a tree, not a hash table) it?s not a matter of replaying the
> previous work on a new pf version. This is a from the ground up
> introduction of fine grained locking in a code base that assumes a
> single giant lock. As I understand it the OpenBSD people are working on
> the problem as well, but I?ve not seen any diffs yet. If they?ve
> made significant progress we may be able to base our work on theirs.
> I don?t think it?d be acceptable to not have this, as it?d mean a
> very large performance regression.
>
> For reference, before I did the pfsync work we essentially had a
> single-threaded pf when pfsync was enabled. On my test hardware this
> meant a throughput of ~1.1Mpps, rather than the ~3.9Mpps without pfsync.
> I?d expect OpenBSDs pf to perform at around that ~1.1Mpps number
> without locking work.
The project funding source is OS agnostic, would it help if the
OpenBSD pf implementation was redone in a way that it had fine
grained locking. Would it be possible to apply Gleb's work as
a upstreaming operation to get this work in both implementations?
> The second issue is one of syntax, and that?s what I assume is the
> main reason people want OpenBSDs pf. We?re still on an older iteration
> of the pf syntax, but changing that would inevitably mean breaking old
> configurations. That might be acceptable on a major version update (i.e.
> going into 13), but would mean the new work could never be backported.
> That?s probably the only way forward though. I?m playing with
> importing the ?match? keyword and not breaking the ?scrub?
> syntax at the same time, but it?s a non-trivial problem, and that?s
> only one of the steps along the way.
Isnt there more than just syntax? I thought OpenBSD pf has features
that are not present in FreeBSD's pf implementation.
> Finally there?s vimage. That?s a FreeBSD-only feature, so naturally
> OpenBSDs pf is not aware of this. I expect that to be relatively easy to
> add back in, but it?s another obstacle. As vimage is what lets us have
> the pf tests we?ve got now I?d be very reluctant to let it go.
> It?s a supported feature in 12.0, so users will start to rely on it as
> well.
>
> TL;DR: It?s possible, but *hard*. Expect is to be many person-months
> of effort, and there?s no way it?s going to be a smooth ride.
So your quantifying this at man months and not man years,
that helps a bunch, that is clearly within the scope of
the funding.
>
> One thing I?ve thought of trying, and that might be an interesting
> stepping stone, is to create a port (/usr/ports/net/opf or whatever) of
> OpenBSD?s pf. In that version it?d be acceptable to not fix any of
> the above issues. It?d still give users to option of getting the new
> syntax. I?d expect this to be a relatively straightforward exercise.
> In principle there?s nothing to stop us from doing that same work in
> base, but we?re **NOT** going to import a fourth firewall. We?re
> just not.
But 4, its nice, its a power of 2, infact it is the second power of
2, such nice round numbers :-) I do like the idea of a first
implementation of pf as a port, that being a fast path to update it,
but would not want that as a long run solution.
> Regards,
> Kristof
--
Rod Grimes rgrimes at freebsd.org
More information about the freebsd-pf
mailing list