tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Removing PF



There have been internal discussions about removing PF from NetBSD. Currently,
NetBSD's PF is 11 years old, has received no maintenance, and has accumulated
bugs and vulnerabilities that were fixed upstream but not in NetBSD. The
latest examples are two vulnerabilities recently discovered in PF, that
haven't been fixed in NetBSD's PF by lack of interest.

Importing recent versions of PF in scalable/performant kernels is a huge work
because of PF's legacy design, and there have been reports that FreeBSD is
also considering dropping PF.

Just like other kind of dead wood, NetBSD's PF consumes APIs, makes stuff
harder to change, and has now reached a point where it is lagging behind
upstream way too much to still be considered a functional or secure firewall
on NetBSD.

NetBSD provides NPF, a clean, secure and scalable firewall, enabled by default,
that can be used instead, even if it doesn't have all the features PF has
for now. It is to be noted that IPF too is present in NetBSD, although its
use is not recommended (for other reasons).

Given NPF's advanced design and good integration in the NetBSD kernel, trying
to maintain PF seems like a huge effort for little benefit, and the resources
would be better spent on NPF.

Even if we overcame the effort needed to import a new version of PF, we would
still have to maintain it and regularly synchronize against upstream. Overall,
it is not viable to keep PF, and has already proven not to be in the past,
given the state its code finds itself in today.


Home | Main Index | Thread Index | Old Index