From owner-freebsd-pf@FreeBSD.ORG Fri Sep 7 09:34:53 2012 Return-Path: Delivered-To: pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFB741065672; Fri, 7 Sep 2012 09:34:53 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id 48BC58FC12; Fri, 7 Sep 2012 09:34:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id D5CCB2A82A76; Fri, 7 Sep 2012 11:26:24 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0xi8-TfXzFx; Fri, 7 Sep 2012 11:26:24 +0200 (SAST) Received: from clue.co.za (l2tp.clue.co.za [41.154.88.20]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id CEF972A829F8; Fri, 7 Sep 2012 11:26:23 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.80 (FreeBSD)) (envelope-from ) id 1T9upR-0000bK-SI; Fri, 07 Sep 2012 11:26:21 +0200 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= From: Ian FREISLICH In-Reply-To: References: <20120905115140.GF15915@FreeBSD.org> <50476187.8000303@gibfest.dk> <20120905183607.GI15915@glebius.int.ru> <20120906064640.GL15915@glebius.int.ru> X-Attribution: BOFH Date: Fri, 07 Sep 2012 11:26:21 +0200 Message-Id: Cc: pf@freebsd.org Subject: Re: [HEADS UP] merging projects/pf into head X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 09:34:53 -0000 > > I won't keep OpenBSD-pf and FreeBSD-pf in parallel in FreeBSD. The > > OpenBSD-pf port have proved to be poorly maintained. After last > > import that was made by you, at least the following regressions were > > introduced: > > > > - enabling pfsync immediately panics > > - kldunload pf.ko immediately panics > > Going to personal attacks shows your willing to discuss as civilized > person. Though that does not mean anything in the sense that bugs are > there to be found by testers. I don't think Gleb is is being personal about this. Facts are facts and pf is currently unusable for me, even at home because of spuriously dropped packets. >From my point of view as a user, the FreeBSD pf port is unmaintained. I'm sorry if you find this observation offensive. It seems like only fixes available are to import a new pf from OpenBSD. There are structural issues that need to be addressed to make it work properly on FreeBSD and Gleb has done that. We're stuggling with an issue that appears to be a "forever problem" - the "pf: state key linking mismatch" which affects pf as far back as we've been prepared to test (FreeBSD-8.0). Although it only became visible in the logs in -CURRENT before 9-RELEASE with the pf import then. It manifests as connections stalling randomly. There's not been a fix since it was first reported. We're seeing 0.08% of our connections dropped on the floor or about 4 per second. As a result, we've been seriously considering replacing our FreeBSD routers. > If you have not found out yet, testers for something that people take > for granted as firewalls are scarce in general. Testing this stuff is hard because it's very difficult to simulate a production environment outside of the production environment. People generally don't want production to break. Ian -- Ian Freislich