Future of pf / firewall in FreeBSD ? - does it have one ?

Maxim Khitrov max at mxcrypt.com
Sun Jul 20 14:16:14 UTC 2014

On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels <lars.engels at 0x20.net> wrote:
> On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote:
>> all of that is true, but you are missing the point. Having two versions of
>> pf on the bsd's at the user level, is a bad thing. It confuses people,
>> which puts them off. Its a classic case of divide an conquer for other
>> platforms. I really like the idea of the openpf version, that has been
>> mentioned in this thread. It would be awesome if it ended up as a supported
>> linux thing as well, so the world could be rid of iptables. However i guess
>> thats just an unrealistic dream
> And you don't seem to get the point that _someone_ has to do the work.
> No one has stepped up so far, so nothing is going to change.

Gleb believes that the majority of FreeBSD users don't want the
updated syntax, among other changes, from the more recent pf versions.
Developers who share his opinion are not going to volunteer to do the
work. This discussion is about showing this belief to be wrong, which
is the first step in the process.

In my opinion, the way forward is to forget (at least temporarily) the
SMP changes, bring pf in sync with OpenBSD, put a policy in place to
follow their releases as closely as possible, and then try to
reintroduce all the SMP work. I think the latter has to be done
upstream, otherwise it'll always be a story of diverging codebases.
Furthermore, if FreeBSD developers were willing to spend some time
improving pf performance on OpenBSD, then Henning and other OpenBSD
developers might be more receptive to changes that make the porting
process easier.

More information about the freebsd-questions mailing list