Future of pf / firewall in FreeBSD ? - does it have one ?
adrian at freebsd.org
Thu Jul 17 19:26:34 UTC 2014
There's a large set of patches from pfsense. Some (like re-adding
if_start methods to things to make ALTQ work) can't be merged back.
Others (like teaching the stack about 802.1p) should be merged back.
What's missing is someone who wants to grab those patches, figure out
what can be put into FreeBSD-HEAD and merged back into FreeBSD-10, and
pfsense have done an enormous amount of work already in getting their
diffs into an easily digestable format. Someone from the community
just needs to stand up and take ownership of that.
If the patches are good and are tested by a variety of people, I'm
happy to commit them to -HEAD.
So, start with this one?
On 17 July 2014 12:13, Lukasz <lukasz at chroot.pl> wrote:
> On 07/17/2014 01:15 AM, Kristian K. Nielsen wrote:
>> Hi all,
>> I have been encouraged by people on the pf-mailinglist to move this
>> discussion to the current mailinglist since this may be an area in the
>> OS where FreeBSD need to focus on next.
>> First of all I am a happy user of the pf-firewall module and have been
>> for years and think it is really great - the trouble is that lately
>> (since 2008) its getting a bit dusty.
>> The last few years it seem that pf in FreeBSD got a long way away from
>> pf in OpenBSD where it originated
>> - also looking at the ipfilter (ipf) and ipfw - they both to me do not
>> seem to be as complete as pf.
>> So I am curious if any on the mailing could elaborate about what the
>> future of pf in FreeBSD is or should be.
>> a) First of all - are any actively developing pf in FreeBSD?
>> b) We are a major release away from OpenBSD (5.6 coming soon) - is
>> following OpenBSD's pf the past? - should it be?
>> c) We never got the new syntax from OpenBSD 4.7's pf - at the time a
>> long discussion on the pf-mailing list flamed the new syntax saying it
>> would cause FreeBSD administrators too much headache. Today on the list
>> it seems everyone wants it - so would we rather stay on a dead branch
>> than keep up with the main stream?
>> d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the
>> e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
>> f) IPv6 support?- it seem to be more and more challenged in the current
>> version of pf in FreeBSD and I am (as well as others) introducing more
>> and more IPv6 in networks.
>> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933,
>> which is the bug on not handling IPv6 fragments which have been open
>> since 2008 and where the workaround is necessity to leave an completely
>> open hole in your firewall ruleset to allow all fragments. According to
>> comment in the bug, this have been long gone in OpenBSD.
>> g) Performance, can we live with pf-performance that compared to OpenBSD
>> is slower by a factor of 3 or 4, even after the multi-core support in
>> FreeBSD 10?
>> (Henning Brauer noted that in this talk at
>> http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and
>> 36:53)) - credit/Jim Thompson
>> h) Bringing back patches from pfSense?
>> And my most important question:
>> * Should this or could this be a project for the foundation to either do
>> a summer project or funded project to bring this part of the OS up to date?
>> Hope to hear from you all,
>> Best regards,
>> Kristian Kræmmer Nielsen,
>> Odense, Denmark
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions