Things are very quiet this week; I’ve had nothing to post for some days – DragonFly or even for other BSDs. The end of the year has most people distracted, I think. This makes it a good time to bring up something that’s been bothering me: the state of software firewalls in BSD. The pf utility is a BSD advantage; I’ve heard people say “I used iptables on Linux and pf is a much better alternative.” I know that’s anecdotal, but there it is. Here’s the question, and the reason I’m writing this: which pf?
DragonFly has a version of pf equivalent to what was shipped in OpenBSD 4.4. FreeBSD has a version equivalent, I think, to OpenBSD 3.8 4.5’s pf, and it has been further modified. NetBSD has a similar, older pf, but there’s people working on a NetBSD-specific version called npf, which isn’t yet ready. And of course, OpenBSD has its version of pf. If you feel good about these different alternatives, you call it divergence. If you don’t feel good about it, you call it fragmentation.
Compare this to OpenSSH – it works the same on each platform. There’s no confusion on how to configure it, or interoperability problems. It would be wonderful to have the equivalent for pf, where other BSD platforms would import a portable version. This software firewall is a strength, and it’s much easier to tout it when there’s only one.
I doubt there’s a way to bring it all back to one source tree. There’s a lot vested in the different forks out there. You know what would take a lot less effort: a compatibility test suite. Agreeing on a common syntax and set of functions would make life easier for every end user. It would incidentally make vendors a lot happier, too. Even if a user or vendor wasn’t hoping to move between BSD flavors, a test suite would still guarantee a certain known level of functionality for any BSD release.
How likely is this? I don’t know. But I want to bring up the notion before it gets missed. Now is a good time, with each pf version still being relatively close to one another.
Update/note: Henning Brauer is willing to help.
That would be cool, but I think the porting effort for pf is probably higher than that for something like OpenSSH due to its deeper hooks into the kernel and network stack. NetBSD even has some different goals in mind I think with npf (multicore filtering), so they may no longer want a port in the strict sense. But an agreement on a base level of functionality and configuration file syntax would be nice.
Likewise FreeBSD is not interested in staying current with PF; they’re interested in SMP:
“The pf firewall, originally from OpenBSD, got upgraded to support fine-grain locking and better utilization on multi-cpu machines” [https://wiki.freebsd.org/WhatsNew/FreeBSD10]
FYI, NetBSD’s npf has nothing in common with OpeBSD’s pf:
http://mail-index.netbsd.org/netbsd-announce/2010/09/13/msg000110.html
http://www.netbsd.org/~rmind/npf/
Oops, a little late to the discussion. The underlying issue really is SMP scaling… that’s what’s driving FreeBSD and NetBSD. That’s why there’s no motivation to stay in sync with OpenBSD. In DragonFly, we have exactly the same issue so sooner or later OpenBSD networking guys need to step up. Questions about this (and help offered) have been brought up in 2012 on the mailing lists (and probably before that as well). pf is great work and I’m not convinced npf will be of much relevance. Not sure if the FreeBSD 10 pf is going to cut it as well being based on an outdated version. OpenBSD really holds all the power to change that (for now).
FWIW, I can take a shot at updating pf after netmap has settled in.
>>> https://twitter.com/HenningBrauer/status/418348714294779904
I agree, I don’t think it is feasible to bring it back into one source tree, but ensuring the same syntax is used across all pf versions would be something that should be possible and would be very nice to have.
The sad thing about this situation is that the only firewall that is working and is available to all BSDs is the old ipfilter. So that runs against the original intention to get rid of it and replace it with something better. pf was a try. I do not believe in it any more, even though it was a good one. npf is the next try. I hope this time it will finally work out for good.