Future of pf in FreeBSD ? - does it have one ?
Jim Thompson
jim at netgate.com
Wed Jul 9 00:15:20 UTC 2014
On Jul 8, 2014, at 5:32 PM, Kristian K. Nielsen <freebsd at com.jkkn.dk> wrote:
> Hi all,
>
> I am a happy user of the pf-firewall module and have been for years and think it is really great but lately its getting a bit dusty.
>
> The last few years, however, it seem that pf in FreeBSD got a long way away from pf in OpenBSD where it originated and I am also continually watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?).
I think if anything it’s ipfilter that’s getting a bit dusty, check the thread from last year:
http://lists.freebsd.org/pipermail/freebsd-net/2013-April/035207.html
while ipfilter wasn’t removed from 10, there wasn’t a lot of resolution, either.
moreover, it is ipfw that is getting a lot of love (from luigi and crew), not ipfilter.
http://lists.freebsd.org/pipermail/freebsd-net/2012-August/032977.html
https://code.google.com/p/netmap-ipfw/
> So I am curious if any on the mailing could elaborate about what the future of pf in FreeBSD is.
>
> a) First of all - are any actively developing pf in FreeBSD?
Yes. glebius multithreaded pf for 10. eri and gleb continue to work on it. gnn found an issue with the Jenkins hash recently, and proposed a fix.
work continues.
> b) We are a major release away from OpenBSD (5.6 coming soon) - is following OpenBSD's pf the past?
All I can offer here is opinion.
> c) We never got the new syntax from OpenBSD 4.7's pf - is that still blocking us?
‘blocking’?
http://lists.freebsd.org/pipermail/freebsd-pf/2013-June/007095.html
> d) Anyone working on bringing FreeBSD up to 5.6?
There was some brief discussion of same at vBSD (prompted by Henning’s rant after being
pushed about his claims about the “pf” in OpenBSD being faster than the “pf” in FreeBSD 10).
This occurred both at ruBSD and vBSD
http://tech.yandex.ru/events/yagosti/ruBSD/talks/1477/ (you can skip to 29:51)
http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (you can skip to 33:18 and 36:53 for the salient bits)
http://quigon.bsws.de/papers/2013/vbsdcon/
http://quigon.bsws.de/papers/2013/rubsd/
bapt apparently volunteered to attempt to bring the pf from a more modern pf to FreeBSD. You’ll have to ask him about status.
You didn’t ask, but Dragonfly also recently got some pf concurrency work committed.
http://lists.dragonflybsd.org/pipermail/commits/2014-June/270300.html
> e) OpenBSD is retiring ALTQ entirely - any thoughts on that?
> http://undeadly.org/cgi?action=article&sid=20140419151959
>
> f) IPv6 support?- it seem to be more and more challenged in the current version of pf in FreeBSD and I am (as well as others) introducing more and more IPv6 in networks.
> E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, which is the bug on not handling IPv6 fragments which have been open since 2008 and where the workaround is necessity to leave an open hole in your firewall ruleset to allow all fragments. Occoring to comment in the bug, this have been long gone in OpenBSD.
Ermal is looking at #124933, because I think it’s important to get this fixed for pfSense.
Jim
More information about the freebsd-pf
mailing list