From owner-freebsd-pf@FreeBSD.ORG Thu Dec 18 00:50:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6F82738F for ; Thu, 18 Dec 2014 00:50:06 +0000 (UTC) Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CF1E31975 for ; Thu, 18 Dec 2014 00:50:05 +0000 (UTC) Received: by mail-lb0-f178.google.com with SMTP id f15so146466lbj.37 for ; Wed, 17 Dec 2014 16:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7RGWoKpJ7A8vq9Ul9oCn/oY0tWsdqThYnh8ARucgFIA=; b=u6cd9jWqSmyc94nHsRSxe1MetTKyaeXlhzKEDBOaU/4Xs6voKwrTnnGz8NKrna5L82 R6LtK6PXKV6VC0f/Qg5FtE59MDdtmWahw1o8kYXBfKo/QOlvfx9M29e7YZfKkBGPld9r L0Su+OBAz1GdFhJ0kuKtGtOGASAXoQ9V8wwioQL2PBxJiVvQsOig2gMXrmUNPZB7RoaE /mliv37rsaUR+9+HEZljcxwiM+MjvyVbOCrns3i0IXRUJZjAVlTfLAeUrHD/QbP8vkXc vtSuya8IeFZIo+EYnhGmaktNZrR16nC/z5iHja8b36/k9yH4So6GkIRRHvh7LEezXh9W ueSA== MIME-Version: 1.0 X-Received: by 10.112.16.129 with SMTP id g1mr39339002lbd.30.1418863803679; Wed, 17 Dec 2014 16:50:03 -0800 (PST) Received: by 10.152.125.168 with HTTP; Wed, 17 Dec 2014 16:50:03 -0800 (PST) In-Reply-To: <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141218001656.GA18291@bsdjunk.com> <4F19F7E8-0286-4F2F-B4E3-9DCB8B3BFF9B@netgate.com> Date: Thu, 18 Dec 2014 11:50:03 +1100 Message-ID: Subject: Re: Alternative to pf? From: Outback Dingo To: Jim Thompson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 00:50:06 -0000 On Thu, Dec 18, 2014 at 11:47 AM, Jim Thompson wrote: > > > > On Dec 17, 2014, at 6:16 PM, Christopher Petrik > wrote: > > > > On Thu, Dec 18, 2014 at 12:43:59AM +0100, Daniel Engberg wrote: > >> Hi, > >> > >> During the year there has been several discussions regarding the state > of pf > >> in FreeBSD. In most cases it seems to boil down to that it's too > >> hard/time-consuming to bring upstream patches from OpenBSD to FreeBSD. > As > >> it's been mentioned Apple seems to update pf somewhat (copyright is > changed > >> to 2013 at least) and file size differs between OS X releases but I > wasn't > >> able to find any commit logs. > >> > >> That said, NetBSD have something similar to pf in syntax called npf > which > >> seems actively maintained and the author seems open to the idea of > porting > >> it to FreeBSD. > >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 > >> However I'm not certain that it surpasses our current pf in terms of > >> functionality in all cases (apart from the firewalling ALTQ comes to > mind > >> etc). > >> Perhaps this might be worth looking into and in the end drop pf due to > the > >> reasons above? > >> > >> That said, don't forget all the work that has gone into getting pf > where it > >> is today. > >> While I'm at it, does anyone else than me use ALTQ? While it's not > >> multithreaded I find a very good "tool" and it does shaping really wel= l. > >> > >> Best regards, > >> Daniel > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > Hi, > > I think the real question is, "Do we really need so many firewall suite= s > > in FreeBSD" we have ipfw, ipf, pf I think the solution would be to port > > npf as it's bases is to be portable. I use it and it takes some getting > > used to but it looks promising. But then this creates a 4th suite to ad= d > > into FreeBSD ? > > We could =E2=80=98port=E2=80=99 it to run on top of netmap (like the vers= ion of ipfw that > runs over netmap). > > Then it=E2=80=99s not necessarily =E2=80=9Cin=E2=80=9D FreeBSD. > > there in lies the big question, how portable is it... how much work would be required to make it "netmap" compatible" and will it integrate well, and whats the time frame :) > > > Jim > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >