Removing PF

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Removing PF

Claudio Jeker
There have been internal discussions about OpenBSD also removing the pf
packet filter after the upcoming 6.5 release. Instead a switch to
using David Gwynne's new bpf filter will happen.
The benefits outweigh the drawbacks and the missing features will be
readily implemented in time for the 6.6 release.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Ian Mcwilliam-6
"peeing on, or even integration into baby mulching
machines or atomic bombs to be dropped on Australia"

That's a lot of missing features to implement in one release cycle.....

Ian McWilliam

________________________________
From: [hidden email] <[hidden email]> on behalf of Claudio Jeker <[hidden email]>
Sent: Monday, 1 April 2019 4:01 PM
To: [hidden email]
Subject: Removing PF

There have been internal discussions about OpenBSD also removing the pf
packet filter after the upcoming 6.5 release. Instead a switch to
using David Gwynne's new bpf filter will happen.
The benefits outweigh the drawbacks and the missing features will be
readily implemented in time for the 6.6 release.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Janne Johansson-3
Den mån 1 apr. 2019 kl 07:30 skrev Ian McWilliam <
[hidden email]>:

> "peeing on, or even integration into baby mulching
> machines or atomic bombs to be dropped on Australia"
> That's a lot of missing features to implement in one release cycle.....
>
>
I would like the license to actually forbid dropping baby mulching machines
on Australia.

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Tom Smyth
In reply to this post by Claudio Jeker
Yeah... i would love you all  to give affect to that... +1 from me
claudio....about time!...
Thanks for articulating what i  have been thinking all this time...
1/4/2019 will be a historic turning point for us



On Monday, 1 April 2019, Claudio Jeker <[hidden email]> wrote:

> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.
>
> --
> :wq Claudio
>
>

--
Kindest regards,
Tom Smyth

The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.
Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Todd C. Miller-3
In reply to this post by Claudio Jeker
On Mon, 01 Apr 2019 07:01:03 +0200, Claudio Jeker wrote:

> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.

Will the bpf JIT changes be done in time for 6.6?  I have no doubt
that "pfctl -p /dev/bfp" can be made to work in time but for a truly
performant firewall we will need bpf JIT.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Theo de Raadt-2
Todd C. Miller <[hidden email]> wrote:

> On Mon, 01 Apr 2019 07:01:03 +0200, Claudio Jeker wrote:
>
> > There have been internal discussions about OpenBSD also removing the pf
> > packet filter after the upcoming 6.5 release. Instead a switch to
> > using David Gwynne's new bpf filter will happen.
> > The benefits outweigh the drawbacks and the missing features will be
> > readily implemented in time for the 6.6 release.
>
> Will the bpf JIT changes be done in time for 6.6?  I have no doubt
> that "pfctl -p /dev/bfp" can be made to work in time but for a truly
> performant firewall we will need bpf JIT.

Don't think so -- JIT-less is the new hot.

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Ingo Schwarze
In reply to this post by Claudio Jeker
Hi Claudio,

Claudio Jeker wrote on Mon, Apr 01, 2019 at 07:01:03AM +0200:

> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.

Wouldn't it cause less work to do the two planned next steps in the
opposite order?  I.e. remove the concept of packet routing first,
replacing it with bridge(4) as planned, for 6.6?  That would mean
an immediate huge gain in security because routing requires *lots*
of network daemons, and network daemons are notorious for being
attack targets.  Not to mention the benefits for net neutrality,
which appears to be a topic of growing concern, too.  And after
that switch, there would be much fewer missing features to implement
in bpf, then for 6.7.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Stuart Henderson
In reply to this post by Claudio Jeker
On 2019/04/01 07:01, Claudio Jeker wrote:
> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.

I think FTP might be a bit of a problem here. It is clearly problematic
with firewalls and CGN; who do we talk to about getting RFC959 obsoleted?
In the meantime we could have an awk script parsing tcpdump output and
reactively updating the bpf filter.

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Miod Vallat
In reply to this post by Todd C. Miller-3

> Will the bpf JIT changes be done in time for 6.6?  I have no doubt
> that "pfctl -p /dev/bfp" can be made to work in time but for a truly
> performant firewall we will need bpf JIT.

I wrote a vax BPF jit as a simple exercize some time ago, so all you
really need now is to implement vax-to-${ARCH} jit on an MD basis. This
should be very easy to do as long as BPF does not get extended to use
floating-point values.

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Alexandr Nedvedicky
On Mon, Apr 01, 2019 at 01:04:19PM -0000, Miod Vallat wrote:

>
> > Will the bpf JIT changes be done in time for 6.6?  I have no doubt
> > that "pfctl -p /dev/bfp" can be made to work in time but for a truly
> > performant firewall we will need bpf JIT.
>
> I wrote a vax BPF jit as a simple exercize some time ago, so all you
> really need now is to implement vax-to-${ARCH} jit on an MD basis. This
> should be very easy to do as long as BPF does not get extended to use
> floating-point values.
>

    hmm... but there will be no IPv6.5 without floating point, right?

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Mateusz Guzik
In reply to this post by Claudio Jeker
On 4/1/19, Claudio Jeker <[hidden email]> wrote:
> There have been internal discussions about OpenBSD also removing the pf
> packet filter after the upcoming 6.5 release. Instead a switch to
> using David Gwynne's new bpf filter will happen.
> The benefits outweigh the drawbacks and the missing features will be
> readily implemented in time for the 6.6 release.
>
> --
> :wq Claudio
>

While I support pf removal, I don't think bpf is the way to go.

FreeBSD just removed their pf [1] so the code is up for grabs and you
can import it with one weird trick.

[1] https://lists.freebsd.org/pipermail/svn-src-projects/2019-April/013336.html

--
Mateusz Guzik <mjguzik gmail.com>

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Devin Ceartas
Will authpf be around?

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Kevin Chadwick-4
In reply to this post by Mateusz Guzik
On 4/1/19 3:18 PM, Mateusz Guzik wrote:
> While I support pf removal, I don't think bpf is the way to go.
>
> FreeBSD just removed their pf [1] so the code is up for grabs and you
> can import it with one weird trick.
>
> [1] https://lists.freebsd.org/pipermail/svn-src-projects/2019-April/013336.html

lol, did you read the link that you posted

"pf in FreeBSD lags years behind OpenBSD's pf. Remove it. Users are advised to
migrate to ipf."

Why would they replace new pf with old or are you trying to suggest ipf instead
of bpf?

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Removing PF

Eichert, Diana
In reply to this post by Miod Vallat
I thought you were going to deal with MD issues by adding support for SIMH into 6.6?

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Miod Vallat
Sent: Monday, April 1, 2019 7:04 AM
To: [hidden email]
Subject: [EXTERNAL] Re: Removing PF


> Will the bpf JIT changes be done in time for 6.6?  I have no doubt
> that "pfctl -p /dev/bfp" can be made to work in time but for a truly
> performant firewall we will need bpf JIT.

I wrote a vax BPF jit as a simple exercize some time ago, so all you really need now is to implement vax-to-${ARCH} jit on an MD basis. This should be very easy to do as long as BPF does not get extended to use floating-point values.

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Erik van Westen
In reply to this post by Kevin Chadwick-4
Op 1-4-2019 om 18:03 schreef Kevin Chadwick:

> On 4/1/19 3:18 PM, Mateusz Guzik wrote:
>> While I support pf removal, I don't think bpf is the way to go.
>>
>> FreeBSD just removed their pf [1] so the code is up for grabs and you
>> can import it with one weird trick.
>>
>> [1] https://lists.freebsd.org/pipermail/svn-src-projects/2019-April/013336.html
> lol, did you read the link that you posted
>
> "pf in FreeBSD lags years behind OpenBSD's pf. Remove it. Users are advised to
> migrate to ipf."
>
> Why would they replace new pf with old or are you trying to suggest ipf instead
> of bpf?

What is today's date?

Kind regards,
Erik

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Removing PF

Alexander Nasonov
In reply to this post by Eichert, Diana
Eichert, Diana wrote:
> I wrote a vax BPF jit as a simple exercize some time ago, so all
> you really need now is to implement vax-to-${ARCH} jit on an MD
> basis. This should be very easy to do as long as BPF does not get
> extended to use floating-point values.

I'm afraid you have to rewrite it to risv-to-${ARCH} and vectorise
along the way.

--
Alex

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Removing PF

Eichert, Diana
Oops, I think you've confused me with Miod.  He's the one who wrote the vax BPF.

I was only talking to him about adding direct SIMH support in 6.6.  That way you could have many kernels
running within a kernel at boot time.
I'm looking forward to running my old HP 2115 Fortran code ....  Who needs toggle switches anyway?

-----Original Message-----
From: Alexander Nasonov <[hidden email]>
Sent: Monday, April 1, 2019 1:38 PM
To: Eichert, Diana <[hidden email]>
Cc: [hidden email]
Subject: Re: [EXTERNAL] Re: Removing PF

Eichert, Diana wrote:
> I wrote a vax BPF jit as a simple exercize some time ago, so all you
> really need now is to implement vax-to-${ARCH} jit on an MD basis.
> This should be very easy to do as long as BPF does not get extended to
> use floating-point values.

I'm afraid you have to rewrite it to risv-to-${ARCH} and vectorise along the way.

--
Alex

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Shawn Webb
In reply to this post by Theo de Raadt-2
On Mon, Apr 01, 2019 at 05:31:54AM -0600, Theo de Raadt wrote:

> Todd C. Miller <[hidden email]> wrote:
>
> > On Mon, 01 Apr 2019 07:01:03 +0200, Claudio Jeker wrote:
> >
> > > There have been internal discussions about OpenBSD also removing the pf
> > > packet filter after the upcoming 6.5 release. Instead a switch to
> > > using David Gwynne's new bpf filter will happen.
> > > The benefits outweigh the drawbacks and the missing features will be
> > > readily implemented in time for the 6.6 release.
> >
> > Will the bpf JIT changes be done in time for 6.6?  I have no doubt
> > that "pfctl -p /dev/bfp" can be made to work in time but for a truly
> > performant firewall we will need bpf JIT.
>
> Don't think so -- JIT-less is the new hot.
I'd rather see this new bpf pick up serverless functionality.

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        [hidden email]
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Jordan Geoghegan
In reply to this post by Kevin Chadwick-4

On 4/1/19 9:03 AM, Kevin Chadwick wrote:

> On 4/1/19 3:18 PM, Mateusz Guzik wrote:
>> While I support pf removal, I don't think bpf is the way to go.
>>
>> FreeBSD just removed their pf [1] so the code is up for grabs and you
>> can import it with one weird trick.
>>
>> [1] https://lists.freebsd.org/pipermail/svn-src-projects/2019-April/013336.html
> lol, did you read the link that you posted
>
> "pf in FreeBSD lags years behind OpenBSD's pf. Remove it. Users are advised to
> migrate to ipf."
>
> Why would they replace new pf with old or are you trying to suggest ipf instead
> of bpf?
>

Realistically, we need to move to the one true firewall-- iptables!
Ideally,  OpenBSD needs a firewall thats 'web scale' that can be
administered from a PHP web based frontend that uses JSON message
passing for clustering and failover.

Reply | Threaded
Open this post in threaded view
|

Re: Removing PF

Constantine Aleksandrovich Murenin
On 2019-W14-1 19:12 -0700, Jordan Geoghegan wrote:
> Realistically, we need to move to the one true firewall-- iptables!
> Ideally,  OpenBSD needs a firewall thats 'web scale' that can be
> administered from a PHP web based frontend that uses JSON message
> passing for clustering and failover.

Don't forget about sharding -- we should probably use MongoDB for a pfsync(4) replacement.

C.

12