Alternative to pf?

Jim Thompson jim at netgate.com
Thu Dec 18 03:15:15 UTC 2014 


> On Dec 17, 2014, at 8:56 PM, Mario Lobo <lobo at bsd.com.br> wrote:
> 
> On Wed, 17 Dec 2014 20:05:10 -0600
> Jim Thompson <jim at netgate.com> wrote:
> 
>> 
>>> On Dec 17, 2014, at 7:54 PM, Mario Lobo <lobo at bsd.com.br> wrote:
>>> 
>>> On Thu, 18 Dec 2014 00:43:59 +0100
>>> Daniel Engberg <daniel.engberg.lists at pyret.net> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> During the year there has been several discussions regarding the
>>>> state of pf in FreeBSD. In most cases it seems to boil down to that
>>>> it's too hard/time-consuming to bring upstream patches from OpenBSD
>>>> to FreeBSD. As it's been mentioned Apple seems to update pf
>>>> somewhat (copyright is changed to 2013 at least) and file size
>>>> differs between OS X releases but I wasn't able to find any commit
>>>> logs.
>>>> 
>>>> That said, NetBSD have something similar to pf in syntax called
>>>> npf which seems actively maintained and the author seems open to
>>>> the idea of porting it to FreeBSD.
>>>> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24
>>>> However I'm not certain that it surpasses our current pf in terms
>>>> of functionality in all cases (apart from the firewalling ALTQ
>>>> comes to mind etc).
>>>> Perhaps this might be worth looking into and in the end drop pf due
>>>> to the reasons above?
>>>> 
>>>> That said, don't forget all the work that has gone into getting pf
>>>> where it is today.
>>>> While I'm at it, does anyone else than me use ALTQ? While it's not 
>>>> multithreaded I find a very good "tool" and it does shaping really
>>>> well.
>>>> 
>>>> Best regards,
>>>> Daniel
>>>> _______________________________________________
>>>> freebsd-pf at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>> To unsubscribe, send any mail to
>>>> "freebsd-pf-unsubscribe at freebsd.org"
>>> 
>>> 
>>> I think that just pf and ipfw would be more than "enough" for FBSD.
>>> I have used both but I'm more comfortable with pf's configuration
>>> than with ipfw. I have even tested ipfw filtering together with pf
>>> altq. I totally rely on pf's ALTQ at production simply because it
>>> works perfectly, no matter how complex the setup. Been using it for
>>> years now.
>> 
>> Even with the SMP in 10, pf is as slow as molasses in January, and
>> 10G interfaces are a thing now.
>> 
>> (Someone is sure to cry, “but I can fill a 10G interface in front of
>> pf!”.  Yes, with max-sized packets. Try it with 256 byte (or 64 byte)
>> packets.  Yup.
>> 
>> Moreover, pf is has fundamental limitations (last match).  
>> 
>>> From what I have read, there are quite a few changes in openbsd pf,
>>> specially as far syntax is concerned. I'm just a user so I can only
>>> imagine the hard work involved in porting it but running the risk of
>>> making a lame comment, I would be completely satisfied if only 2
>>> things could be implemented: SMP and fix the ALTQ limitation "bug”.
>> 
>> FreeBSD already has SMP, and I don’t know what you might be referring
>> to as “ALTQ limitation ‘bug’”.
>> 
>> Are you saying you’d be “completely satisfied” if you had SMP support
>> with OpenBSD or a port of OpenBSD’s pf to FreeBSD, or something else?
> 
> You're right! But I am very conservative when dealing with production
> servers and your observation that "Even with the SMP in 10, pf is as
> slow as molasses" is one of the reasons why I'm still with a fast
> stable/8 pf,

No, you seem to have (deliberately?) misinterpreted me. 

The pf in 8 is even slower. A lot slower. 

> plus the links we use are not even close to 10G,

So, "not my problem". 

pf won't even fill a 1Gb link with min-sized packets. 

> so an SMP pf patch that could be applied on 8 wouldn't be bad at all

Nobody in their right mind (who doesn't have a 8 figure engineering budget) is working on 8. 

> Like I said, it has been working flawlessly for us since day one.
> 
> Yeah, I know ... I'll have to upgrade sometime but not before checking
> if everything  works on 10 EXACTLY (and I mean EXACTLY) as it is working
> on 8 right now, SMP or not.
> 
> I can't speak about the nuts and bolts of pf's inside engine but as for
> the tweaks I can see and manage or its config syntax, yes I am satisfied
> and i must confess that I wouldn't be thrilled to change my pf.conf to
> a different layout and pray that it works exactly the same way.

This is the largest reason that the openBSD pf wasn't brought forward. 

In other words: you can't have  both X and !X. 

> As for the "bug" I was referring to:
> 
> http://marc.info/?l=freebsd-pf&m=137359958238507&w=2
> 
> It doesn't concern me in the practical sense because we're the little
> guys with modest small links to the internet but concerns me as
> faithful user and admirer of FreeBSD that always wants to see it top
> notch no matter what conditions it is subjected to. 

It's fixed in pfSense. 
> 
> -- 
> Mario Lobo
> http://www.mallavoodoo.com.br
> FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
> 
> "UNIX was not designed to stop you from doing stupid things, 
> because that would also stop you from doing clever things."

More information about the freebsd-pf mailing list