Date: Wed, 17 Dec 2014 20:05:10 -0600 From: Jim Thompson <jim@netgate.com> To: Mario Lobo <lobo@bsd.com.br> Cc: freebsd-pf@freebsd.org Subject: Re: Alternative to pf? Message-ID: <55B84D9D-B376-4EFF-8998-723A62AF5D6A@netgate.com> In-Reply-To: <20141217225457.64c16404@Papi> References: <7be936232e96ae10d9734598014fd9d5@pyret.net> <20141217225457.64c16404@Papi>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Dec 17, 2014, at 7:54 PM, Mario Lobo <lobo@bsd.com.br> wrote: >=20 > On Thu, 18 Dec 2014 00:43:59 +0100 > Daniel Engberg <daniel.engberg.lists@pyret.net> wrote: >=20 >> Hi, >>=20 >> During the year there has been several discussions regarding the >> state of pf in FreeBSD. In most cases it seems to boil down to that >> it's too hard/time-consuming to bring upstream patches from OpenBSD >> to FreeBSD. As it's been mentioned Apple seems to update pf somewhat >> (copyright is changed to 2013 at least) and file size differs between >> OS X releases but I wasn't able to find any commit logs. >>=20 >> That said, NetBSD have something similar to pf in syntax called npf=20= >> which seems actively maintained and the author seems open to the idea >> of porting it to FreeBSD. >> http://www.netbsd.org/~rmind/pub/npf_asiabsdcon_2014.pdf - Page 24 >> However I'm not certain that it surpasses our current pf in terms of=20= >> functionality in all cases (apart from the firewalling ALTQ comes to=20= >> mind etc). >> Perhaps this might be worth looking into and in the end drop pf due >> to the reasons above? >>=20 >> That said, don't forget all the work that has gone into getting pf >> where it is today. >> While I'm at it, does anyone else than me use ALTQ? While it's not=20 >> multithreaded I find a very good "tool" and it does shaping really >> well. >>=20 >> Best regards, >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 > I think that just pf and ipfw would be more than "enough" for FBSD. I > have used both but I'm more comfortable with pf's configuration than > with ipfw. I have even tested ipfw filtering together with pf altq. I > totally rely on pf's ALTQ at production simply because it works > perfectly, no matter how complex the setup. Been using it for years = now. Even with the SMP in 10, pf is as slow as molasses in January, and 10G = interfaces are a thing now. (Someone is sure to cry, =E2=80=9Cbut I can fill a 10G interface in = front of pf!=E2=80=9D. Yes, with max-sized packets. Try it with 256 byte (or 64 byte) packets. Yup. Moreover, pf is has fundamental limitations (last match). =20 > =46rom what I have read, there are quite a few changes in openbsd pf, > specially as far syntax is concerned. I'm just a user so I can only > imagine the hard work involved in porting it but running the risk of > making a lame comment, I would be completely satisfied if only 2 = things > could be implemented: SMP and fix the ALTQ limitation "bug=E2=80=9D. FreeBSD already has SMP, and I don=E2=80=99t know what you might be = referring to as =E2=80=9CALTQ limitation =E2=80=98bug=E2=80=99=E2=80=9D. Are you saying you=E2=80=99d be =E2=80=9Ccompletely satisfied=E2=80=9D = if you had SMP support with OpenBSD or a port of OpenBSD=E2=80=99s pf to = FreeBSD, or something else?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55B84D9D-B376-4EFF-8998-723A62AF5D6A>