Future of pf / firewall in FreeBSD ? - does it have one ?
glebius at FreeBSD.org
Tue Jul 29 10:35:16 UTC 2014
On Sun, Jul 20, 2014 at 12:30:59PM -0400, Mike. wrote:
M> |> imho, the root problem here is that an effort to implement a
M> |> feature improvement (multi-threading) has caused the FreeBSD
M> |> of pf to apparently reach a near-unmaintainable position in the
M> |> FreeBSD community because improvements from OpenBSD can no longer
M> |> ported over easily. FreeBSD's pf has been put in a virtual
M> |> isolation chamber due to the multi-threaded enhancement.
M> |> Was it worth it?
M> |Yes. This happened *three times* in BSD land now. How much more
M> |proof does it take to make that clear?
M> In this instance, more proof would consist of pf development not
M> wallowing in inactivity.
M> imo, tactical changes were implemented in pf without the strategic
M> negative consequences affecting the decision process guiding the
M> implementation of those tactical features. And that's backwards.
M> Strategies direct tactics, not vice versa.
I would strongly disagree with you. I would claim that directions
I've put in pf in 2012 are strategically correct, while previous
life of pf in FreeBSD was not.
History: pf appeared in FreeBSD in 2004 in 5.3-RELEASE. It was already
outdated. It isn't possible otherwise. While Max spent time on porting
some stable version, the OpenBSD moved forward. It was later updated
again by Max, and again right after update it was outdated. I mean
that people who a) believe that OpenBSD pf is the one true b) eager
for bleeding edge version, these people simply cannot be satisfied.
A porter needs to take latest stable version from OpenBSD and spend
some time working on it. So, pf in FreeBSD was always "outdated",
even before my SMP work on it.
Further history: in 2012 Ermal updates pf and 9.0-RELEASE is shipped.
In 2004 we've got 10 years of diverging developement between FreeBSD
and OpenBSD. In 2012 it was 18 years. Porting got harder. The pf in
9.x is again outdated and introduces a number of bugs that were not
present in 8.x (regressions). Most regressions didn't came from OpenBSD,
but were artifacts of porting. Also, the number of #ifdefs in code
became so unbearable that no one would want to go through code
In 2012 for me it was obvious that following this route is strategically
incorrect. You are never "up to date". You need more efforts to port
pf, and you yield in a port of worse and worse quality over time.
So, in 2012 I put a lot of efforts to not only bring pf out of a
single mutex, but also make it more native to FreeBSD. You can
read this through commit logs.
The net result is that we got our own pf, that can be maintained
further. Unfortunately, still no person is seen on horizon who can
Totus tuus, Glebius.
More information about the freebsd-questions