Re: Removing PF

To: Michael van Elst <mlelstv%serpens.de@localhost>, Piotr Meyer <aniou%smutek.pl@localhost>
Subject: Re: Removing PF
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 30 Mar 2019 15:11:22 +0100

Le 30/03/2019 à 14:34, Michael van Elst a écrit :

On Sat, Mar 30, 2019 at 02:18:29PM +0100, Piotr Meyer wrote:

On Sat, Mar 30, 2019 at 12:59:00PM -0000, Michael van Elst wrote:

Just to get the facts straight: NPF has a bigger market share *outside*
NetBSD, at least certainly for commercial users.  They also contribute.


Ironically, the same is also true for PF...


But contributions to PF are made against OpenBSD kernel, true? And the
essence of problem is that:
- NetBSD version of PF is too old to adapt them without ton of work,


That's self-evident, the "ton of work" is of course just the same that
would have been needed if you had tracked pf development.


... which doesn't withdraw anything from the fact that no one has been
willing to do this work over the last 10 years, and likely not in the
next 10 years either ...

- even current PF in OpenBSD doesn't fit very well into MP kernels


Whatever "MP kernel" is. It no longer fits that well to our recent
MP changes of the network stack, but that mostly results in being
less efficient, not in being more difficult to port or track.


... reports from FreeBSD on the matter indicate that it is more difficult
to port, unsurprisingly, not to mention that having PF will then be an
obstacle to enabling full MP-safety in GENERIC ... so no, it's not just
less efficient, it becomes a big obstacle to full MP-safety in GENERIC ...

   and that makes "fresh" import cumbersome and fruitless


It's always cumbersome to import foreign code. NPF won't be any different,
but since it is a newer development, it has some headstart. Don't believe
NPF is something "native" and thus easier to track, see the recent change
from our "native" proplib to its proprietary library.


... NPF is NetBSD's native firewall and is well integrated in the NetBSD
kernel, the recent switch from proplib to libnv is very anecdotical, if
anything ...

Le 30/03/2019 à 14:47, Michael van Elst a écrit :

That's a myth. When I switched from IPF to NPF, the first thing required
was to fix NPF and NPF-related bugs. The NetBSD version of it was pretty
much unmaintained, it still is to a lesser degree.


... unmaintained as in "it was 2 months behind the Github version", not as
in "it was 11 years behind the OpenBSD version" ... the NPF development is
jumping between NetBSD and Github, with changes being regularly merged in
both directions by Mindaugas from time to time ...

The best way forward to drop PF is to actively develop NPF.


... and the best way to actively develop NPF is to stop splitting effort on
three firewalls and stop directing users to the three of them ... it's also
to stop this illusional/irrational approach by which it is fine to use
inflammable firewalls ... yes, each software has bugs, but maintained
software benefits from improvements, outdated software doesn't ... outdated
software must be kept synchronized, which brings us back to the first point,
no one wants to work on that ...

Follow-Ups:
- Re: Removing PF
  - From: Michael van Elst

References:
- Removing PF
  - From: Maxime Villard
- Re: Removing PF
  - From: Brian Buhrow
- Re: Removing PF
  - From: Mindaugas Rasiukevicius
- Re: Removing PF
  - From: Michael van Elst
- Re: Removing PF
  - From: Piotr Meyer
- Re: Removing PF
  - From: Michael van Elst

Prev by Date: Re: Removing PF
Next by Date: Re: Removing PF
Previous by Thread: Re: Removing PF
Next by Thread: Re: Removing PF
Indexes:

Home | Main Index | Thread Index | Old Index