From owner-freebsd-pf@FreeBSD.ORG Sat Dec 6 02:09:44 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A2AEBF7 for ; Sat, 6 Dec 2014 02:09:44 +0000 (UTC) Received: from forward15.mail.yandex.net (forward15.mail.yandex.net [IPv6:2a02:6b8:0:801::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D4974B09 for ; Sat, 6 Dec 2014 02:09:43 +0000 (UTC) Received: from web24j.yandex.ru (web24j.yandex.ru [5.45.198.65]) by forward15.mail.yandex.net (Yandex) with ESMTP id 0DE209E1087 for ; Sat, 6 Dec 2014 05:09:31 +0300 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web24j.yandex.ru (Yandex) with ESMTP id A41241E00164; Sat, 6 Dec 2014 05:09:31 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1417831771; bh=xTwNgWvGjj3QW9LWLVpAZWfbRVhN+yY5DOr3LRsgOCE=; h=From:To:Subject:Date; b=kChupyrIl49zwCP+d7oAEPOO7KOiU8vMd4mrzdoKf6Im2aYq4T5860MoUylWiIF24 IA179LtwWjG/h7Zhxn2WA5bj4fNAYr+ubS0nUI8unYDlEtd8Yh5Sb0zMVQk46JZ0iX 7i8Vzgp2+DHCP/0QdEKy4jOhPI0u/N6TNgcS5LaM= Received: from 108.61.122.87.choopa.net (108.61.122.87.choopa.net [108.61.122.87]) by web24j.yandex.ru with HTTP; Sat, 06 Dec 2014 05:09:31 +0300 From: Martin Hanson To: freebsd-pf@freebsd.org Subject: Get RID of the multi threading patch in FreeBSDs version of PF MIME-Version: 1.0 Message-Id: <136621417831771@web24j.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Sat, 06 Dec 2014 03:09:31 +0100 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 02:09:44 -0000 Hi, I have been looking into PF on FreeBSD and I am surprised about the situation in which support for multi threading was added before it was brought up to date with the version from OpenBSD. Some people outright warn about using it because the version in FreeBSD is more than five years old and with the multi threading patch it has become completely impossible to bring it up to date. Has any important bugs been fixed in PF on OpenBSD since the current port in FreeBSD that actually makes the current PF in FreeBSD "dangerous" to run with? I believe that most would agree that it would be a whole lot better to get an updated port from OpenBSD rather than running with multi threading support on a completely outdated firewall. It's like taking my old rust bucket of a car and installing a new fast engine before a actually fixing the old crap. Who cares about driving fast if the freaking wheels come of? Rolling it back WITHOUT actually upgrading it would even be *better* than running it with the multi threading patch! Then someone who might actually have the time might take the task upon himself/herself to bring it in sync with OpenBSD. With the multi threading patch in place nobody will ever want to do that! It is damaging for FreeBSD in that we're loosing the best firewall out there! I am not a coder, but my advice is: Roll PF back for the next release of FreeBSD and leave it as is! Then someone will upgrade it, sooner or later. Keep the multi threading patch and PF will eventually be gone from FreeBSD! Kind regards Martin From owner-freebsd-pf@FreeBSD.ORG Sat Dec 6 02:35:00 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0DA41F7A for ; Sat, 6 Dec 2014 02:35:00 +0000 (UTC) Received: from forward20.mail.yandex.net (forward20.mail.yandex.net [IPv6:2a02:6b8:0:1402::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6F24DA1 for ; Sat, 6 Dec 2014 02:34:59 +0000 (UTC) Received: from web21g.yandex.ru (web21g.yandex.ru [95.108.253.230]) by forward20.mail.yandex.net (Yandex) with ESMTP id 2E8B01042363 for ; Sat, 6 Dec 2014 05:34:56 +0300 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web21g.yandex.ru (Yandex) with ESMTP id BD126CC0661; Sat, 6 Dec 2014 05:34:55 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1417833295; bh=+wgejC3d/Jsvn85MnVZuoSUhRY3YlAJ/MqFa3PPVP8o=; h=From:To:Subject:Date; b=EuomXrDKzgJyUnXgc4e5nLQiJWKo/rvjeDErg5zF2jHQmPjfm4sBWyxUKznFXT/AD 7YRrd5NyyGsqWOJnpsScTxY1dQCdu3rGxUh/PNUJZVrC4XYltWWmBkwTkgjxBoUNom SvBdPJ+dt1xJy/bnoDGjWZVR+nL5WmobJNOaBPX4= Received: from 108.61.122.87.choopa.net (108.61.122.87.choopa.net [108.61.122.87]) by web21g.yandex.ru with HTTP; Sat, 06 Dec 2014 05:34:55 +0300 From: Martin Hanson To: freebsd-pf@freebsd.org Subject: FOLLOW-UP MIME-Version: 1.0 Message-Id: <363021417833295@web21g.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Sat, 06 Dec 2014 03:34:55 +0100 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 02:35:00 -0000 Okay, this part "Has any important bugs been fixed in PF on OpenBSD since the current port in FreeBSD that actually makes the current PF in FreeBSD "dangerous" to run with?" was actually a really stupid question! The.. http://svnweb.freebsd.org/base/vendor-sys/pf/4.5.002/?view=log .. shows that the last import was for tag 4.5.002 5 years and 3 month ago! Going back to that time in the OpenBSD CVS log and then scrolling up until present day shows quite a bunch of REALLY important fixes! I am NOT talking about the changes made by the OpenBSD guys, just bug and error fixes! http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c Problems that can cause kernel crashes, fixes for PF crashing faults, out-of-memory errors, leak of states, and a whole lot of other important stuff. Nobody in their right mind would run the current version of PF on FreeBSD! I am sorry, but how can someone be so stupid as to get a whole bunch of new features into a product that seriously needs upgrading first!? Whats going on FreeBSD? You used to be all about quality, now you're all about "bleeding edge features" and don't give a s*** about the rest? Linux can get away with that crap ONLY because such a huge bunch of people and organisations are running and supporting it, they have a LOT of people developing stuff and fixing stuff really quick, FreeBSD haven't got that user base! It needs to be about quality over features! Like in the good old 4.x and 5.x days! Martin From owner-freebsd-pf@FreeBSD.ORG Sat Dec 6 05:53:44 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 312EAFE4 for ; Sat, 6 Dec 2014 05:53:44 +0000 (UTC) Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com [209.85.214.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EE6BC5E6 for ; Sat, 6 Dec 2014 05:53:43 +0000 (UTC) Received: by mail-ob0-f174.google.com with SMTP id nt9so1695647obb.33 for ; Fri, 05 Dec 2014 21:53:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=4Vl16ZNRF4NEZcZU0iZxIBTiE00u1zwRUU3iWwq3ies=; b=aNGKDh2jD9JQ7F+IdnBiGYc0NSvyaUPLtrMWaqQ0yQnUsNjKzfFqsEyM6f9Wi7+AB9 M7gno0/kgkyOXlSGDwtmD7uaWI6gwozIybZGmXWOZ4h1EUroigmtAW4FFSkX27zOMP4A 3lCyX/Ijnzl2o8GutqWzRuDBp2NQokAKKHEu9fPlimBsuLyxe+2iX3voB2Q1yYVj73Nv b6MKuXIQYKMVJ+kQJIjHiT+4cnTtSYeqHElzT1h2Isv8jcloU32gW25iZJB+VzEwgf5q G7bT1AaTJOgb/gaekpI90I8yUB+cQkBrYnSMKDvnoh+EUBiP8htqwXMF/hpEuVRogNeh zZ4A== X-Gm-Message-State: ALoCoQkNxNimeO2gBLd8nCowDN/Mrw4me2Cibqg22eTPURembANGSyI5Y2utm7hoYvsKE2ngIfDw X-Received: by 10.182.205.164 with SMTP id lh4mr12721674obc.5.1417845217705; Fri, 05 Dec 2014 21:53:37 -0800 (PST) Received: from [172.21.0.83] (65-36-83-120.static.grandenetworks.net. [65.36.83.120]) by mx.google.com with ESMTPSA id k9sm14946831oev.8.2014.12.05.21.53.37 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Dec 2014 21:53:37 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: FOLLOW-UP From: Jim Thompson X-Mailer: iPhone Mail (12B436) In-Reply-To: <363021417833295@web21g.yandex.ru> Date: Fri, 5 Dec 2014 23:53:36 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <363021417833295@web21g.yandex.ru> To: Martin Hanson Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 05:53:44 -0000 It's strange how you assume that no bugs can be fixed outside the openbsd tr= ee.=20 I'd say more, but it would be flaming, or flame bait.=20 Jim > On Dec 5, 2014, at 8:34 PM, Martin Hanson wro= te: >=20 > Okay, this part "Has any important bugs been fixed in PF on OpenBSD > since the current port in FreeBSD that actually makes the current PF in > FreeBSD "dangerous" to run with?" was actually a really stupid question! >=20 > The.. >=20 > http://svnweb.freebsd.org/base/vendor-sys/pf/4.5.002/?view=3Dlog >=20 > .. shows that the last import was for tag 4.5.002 5 years and 3 month > ago! >=20 > Going back to that time in the OpenBSD CVS log and then scrolling up > until present day shows quite a bunch of REALLY important fixes! I am > NOT talking about the changes made by the OpenBSD guys, just bug and > error fixes! >=20 > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c >=20 > Problems that can cause kernel crashes, fixes for PF crashing faults, > out-of-memory errors, leak of states, and a whole lot of other > important stuff. >=20 > Nobody in their right mind would run the current version of PF on > FreeBSD! >=20 > I am sorry, but how can someone be so stupid as to get a whole bunch of > new features into a product that seriously needs upgrading first!? >=20 > Whats going on FreeBSD? You used to be all about quality, now you're > all about "bleeding edge features" and don't give a s*** about the rest? >=20 > Linux can get away with that crap ONLY because such a huge bunch of > people and organisations are running and supporting it, they have a LOT > of people developing stuff and fixing stuff really quick, FreeBSD > haven't got that user base! >=20 > It needs to be about quality over features! Like in the good old 4.x > and 5.x days! >=20 > Martin > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Dec 6 06:13:19 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B93A18F for ; Sat, 6 Dec 2014 06:13:19 +0000 (UTC) Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 03B077DB for ; Sat, 6 Dec 2014 06:13:18 +0000 (UTC) Received: by mail-oi0-f45.google.com with SMTP id a141so1436889oig.32 for ; Fri, 05 Dec 2014 22:13:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Qkm8FLuaH6RwUIz9cqKi24qHZDdfwosCPzOx247Sp4I=; b=WdKUNkDtQRlmKzEdkWC6DitXmxCrBmMd0ICk9DJiWJ0C9zYmVZ5lkF/5oFCaW2AexE hvXQax67JWKno4RO01StkFjTP41pPOAzihBnTgN+IEV8ua1VHWDh8PR/4gGrUGpXdqh9 R18NTNSlYRuZQxrlT4jDbErYo1GV+SK1v37meCP6K+5KfFrUFqRueldy3G6NLh8M127G zlkFiJzdCRtlen9HgR4FqUaYi+ELr6n8WySZXAuWcDtNogL/+xAeKXsTVobzBlbGUS0C 96MYWA518snIz2DTccIKX9bNo/wpZ05Roit9tdjTegdoW7FJ/yFRZegAe4eTGOTiw/Ad zYuw== X-Gm-Message-State: ALoCoQkZv2jpUohx+KNkPIVklGTDyHld4ZMUI0r0Q8g+2g6YHT/hg5Zlh4+q+iC3UXTz1WY+d7tg X-Received: by 10.182.98.168 with SMTP id ej8mr13081714obb.41.1417846392251; Fri, 05 Dec 2014 22:13:12 -0800 (PST) Received: from [172.21.0.83] (65-36-83-120.static.grandenetworks.net. [65.36.83.120]) by mx.google.com with ESMTPSA id el5sm13830386oeb.12.2014.12.05.22.13.11 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Dec 2014 22:13:11 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Get RID of the multi threading patch in FreeBSDs version of PF From: Jim Thompson X-Mailer: iPhone Mail (12B436) In-Reply-To: <136621417831771@web24j.yandex.ru> Date: Sat, 6 Dec 2014 00:13:10 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <136621417831771@web24j.yandex.ru> To: Martin Hanson Cc: "freebsd-pf@FreeBSD.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 06:13:19 -0000 > On Dec 5, 2014, at 8:09 PM, Martin Hanson wro= te: >=20 > I am not a coder, Indeed.=20 > Keep the multi threading patch and PF will eventually be gone from FreeBSD= ! May be an OK outcome, actually. The two will continue to diverge. People who= want the PF from OpenBSD can just find (pay?) someone to bring it in, maybe= call it opf. The hooks are all there.=20 Not saying if the 'o' stands for open or old.=20 Not sure that "pf" deserves a title of "the best", either. It's pretty hack= y in places. It's got more knobs than The Citadel at matriculation.=20 It's definitely got a huge architecture problem (or two). =20 "Last match wins"... Who does that? People who "code" before they think, t= hat's who. Even the OpenBSD people admit this was a mistake.=20 IMO, PF (and CARP/pfsync) have run their course. Time for something better.= =20 Jim= From owner-freebsd-pf@FreeBSD.ORG Sat Dec 6 20:00:49 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06EE36FE for ; Sat, 6 Dec 2014 20:00:49 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D7795B56 for ; Sat, 6 Dec 2014 20:00:48 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id C0CBC2D4F9B; Sat, 6 Dec 2014 20:00:40 +0000 (UTC) Received: from [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29] (ivy.libssl.so [IPv6:2601:7:2580:674:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id BE01B1CA1; Sat, 6 Dec 2014 12:00:37 -0800 (PST) Message-ID: <5483605C.4070400@bluerosetech.com> Date: Sat, 06 Dec 2014 12:00:28 -0800 From: Darren Pilgrim Reply-To: freebsd-pf@freebsd.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Martin Hanson , freebsd-pf@freebsd.org Subject: Re: Get RID of the multi threading patch in FreeBSDs version of PF References: <136621417831771@web24j.yandex.ru> In-Reply-To: <136621417831771@web24j.yandex.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 20:00:49 -0000 On 12/5/2014 6:09 PM, Martin Hanson wrote: > Has any important bugs been fixed in PF on OpenBSD since the current > port in FreeBSD that actually makes the current PF in FreeBSD > "dangerous" to run with? FreeBSD's pf is broken for IPv6. Its lack of fragment support means a FreeBSD breaks EDNS0 and other large-packet protocols that rely on fragment headers.