Future of pf / firewall in FreeBSD ? - does it have one ?

Alexander Kabaev kabaev at gmail.com
Sun Jul 20 17:41:44 UTC 2014

On Sun, 20 Jul 2014 10:15:36 -0400
Maxim Khitrov <max at mxcrypt.com> wrote:

> On Sun, Jul 20, 2014 at 8:39 AM, Lars Engels <lars.engels at 0x20.net>
> wrote:
> > On Sun, Jul 20, 2014 at 12:18:54PM +0100, krad wrote:
> >> all of that is true, but you are missing the point. Having two
> >> versions of pf on the bsd's at the user level, is a bad thing. It
> >> confuses people, which puts them off. Its a classic case of divide
> >> an conquer for other platforms. I really like the idea of the
> >> openpf version, that has been mentioned in this thread. It would
> >> be awesome if it ended up as a supported linux thing as well, so
> >> the world could be rid of iptables. However i guess thats just an
> >> unrealistic dream
> >
> > And you don't seem to get the point that _someone_ has to do the
> > work. No one has stepped up so far, so nothing is going to change.
> Gleb believes that the majority of FreeBSD users don't want the
> updated syntax, among other changes, from the more recent pf versions.
> Developers who share his opinion are not going to volunteer to do the
> work. This discussion is about showing this belief to be wrong, which
> is the first step in the process.
> In my opinion, the way forward is to forget (at least temporarily) the
> SMP changes, bring pf in sync with OpenBSD, put a policy in place to
> follow their releases as closely as possible, and then try to
> reintroduce all the SMP work. I think the latter has to be done
> upstream, otherwise it'll always be a story of diverging codebases.
> Furthermore, if FreeBSD developers were willing to spend some time
> improving pf performance on OpenBSD, then Henning and other OpenBSD
> developers might be more receptive to changes that make the porting
> process easier.

I am one person whose opinion Gleb got completely right - I could not
care less about new syntax nor about how close or how far are we from
OpenBSD, as long as pf works for my purposes and it does. This far
into the thread and somebody has yet to provide a comprehensive list of
the benefits that we allegedly miss, or to come up with the real
benchmark result to substantiate the performance claims.

Focusing on disproving anything Gleb might be believing in on the
matter, while an interesting undertaking, does nothing to give you new
pf you supposedly want. Doing the work and bringing it all the way to
will completeness for commit - does. 

It was stated repeatedly by multiple people that FreeBSD's network
stack is way too different from OpenBSD, we support features
OpenBSD doesn't and vice versa, vimage is a good example, which throws a
giant wrench into the plan of following OpenBSD 'as closely as
possible', even as the expense of throwing away all of the SMP work
done in pf to date.

Alexander Kabaev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140720/43a79ac7/attachment.sig>

More information about the freebsd-questions mailing list