Re: 2 questions regarding PF
2010/11/3 Przemysław Pawełczyk pp...@o2.pl: Hi, 1. Why PF 4.2 not 4.7 or 4.8? OpenBSD page http://www.openbsd.org/faq/pf/index.html has one important remark bolded: In particular, there are significant differences between 4.6 and 4.7. Doeas it mean that I would have to learn something rather old - how to use PF 4.2 instead of PF 4.7/4.8. Right? It's easier (but still very hard) to do incremental updates of PF, than to jump to the most recent version of it. Besides, just think of it. OpenBSD developers themselves, went through all the intermediate versions before landing in 4.8. I also grab the chance to thank Jan Lentfer in public, for his dedication and hard efforts that yielded excellent results. Stathis
Re: 2 questions regarding PF
On Wed, 3 Nov 2010 08:04:21 +0200 Stathis Kamperis ekamp...@gmail.com wrote: 2010/11/3 Przemysław Pawełczyk pp...@o2.pl: Hi, 1. Why PF 4.2 not 4.7 or 4.8? OpenBSD page http://www.openbsd.org/faq/pf/index.html has one important remark bolded: In particular, there are significant differences between 4.6 and 4.7. Doeas it mean that I would have to learn something rather old - how to use PF 4.2 instead of PF 4.7/4.8. Right? It's easier (but still very hard) to do incremental updates of PF, than to jump to the most recent version of it. Besides, just think of it. OpenBSD developers themselves, went through all the intermediate versions before landing in 4.8. Hi, Besides, just think of it. As the OpenBSD team ***did*** the work (for others, DF including) why not to jump to the latest version? Is not justified such thinking? I also grab the chance to thank Jan Lentfer in public, for his dedication and hard efforts that yielded excellent results. My God, I only asked why... You are the second person paying tribute to Mr Jan Lentfer publicly for His works taking advantage of my e-mail. Did I say anything belittling His efforts and the results? I thought it was understandable to all that His works are highly appreciated. Regards P.S. Why everybody answers to my account and to the mailing list? I subscribed to the mailing list with provision not to be clobbered with double e-mails. -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgpyad5fk9XM2.pgp Description: PGP signature
Re: 2 questions regarding PF
FreeBSD and NetBSD with ten times bigger teams still use PF from OpenBSD 3.*? There isn't single initiative to change that, moreover FreeBSD is sticking with ipfw and NetBSD started creating own implementation - NPF. There was discussion here and there, why they started creating NPF instead of updating PF. Even OpenBSD developers knows that PF code become messy with time going by - you can check presentation from this year AsiaBSDCon [1]. So I'm impressed what Jan Lentfer has done (thank you!). Besides that PF isn't MP-friendly, as you can say same about OpenBSD. Situation ain't going to change any soon - one of the main reason for writing NPF from scratch. Maybe it isn't big and direct problem for DragonFly BSD, but completely different locking model can be. I'm just saying... PF within OpenBSD relies also on changes made to other subsystems. Tracking those hooks is probably easier, when you go version after version, than with huge number jump. [1] http://www.openbsd.org/papers/asiabsdcon2010_pf/index.html -- Paul Onyschuk bl...@bojary.koba.pl
Re: 2 questions regarding PF
Hi, On Wed, 3 Nov 2010 00:28:29 +0100, Przemysław Pawełczyk pp...@o2.pl wrote: Hi, 1. Why PF 4.2 not 4.7 or 4.8? Going from pf as included in OpenBSD 3.5 to the version in OpenBSD 4.2 already included changing some ten thousands line of code, including changing network subsystems that are not used soley by pf (e.g. mbuf headers, altq). It is not, as you seem to think, just replacing some source files and recompile. But if you were really interested you could have found out by looking at the corresponding commits. I have been working on this for approximatley 4 month several hours a day, and guess what, this is not my daily job, but my hobby. Sure, 4.7, 4.8 or whatever is actual by the time I get there is the final goal, but I'd rather do it in smaller, but working and tested steps, than incorporating 7 or 8 years of development on the OpenBSD side in one hasty rush. Maybe we will be on the same version than OpenBSD with 2.10, mabye with 2.12 or 2.14, I don't know yet. But this has already been discussed on the MLs, to this is actually just a summarized repetition. As far as documentation is concerned, the pf man pages have been updated and include, at least to my knowledge, the DF specific differences (which are fairq and pickups) and you can work quite well with the OpenBSD examples on their website, of course using the appropriate version. I do and did it that way and I don't see why it should be any harder for you. I have to say one thing, too: Your demands towards this project in regard to documentation, actuality, features, etc, are pretty high, but your contributions are really not seeable. As long as this is the case, it would be very kind of you, if you just formulate your emails a little less demanding. I get the impression that you are trying to goad people involved in this project - on purpose or by weakness of character, I haven't found out yet. Of course I hope my impression is totally wrong and you are just honestly seeking help and just don't hit the right tone. Kind Regads, Jan -- professional: http://www.oscar-consult.de private: http://neslonek.homeunix.org/drupal/
Re: 2 questions regarding PF
2010/11/3 Przemysław Pawełczyk pp...@o2.pl: On Wed, 3 Nov 2010 08:04:21 +0200 Stathis Kamperis ekamp...@gmail.com wrote: 2010/11/3 Przemysław Pawełczyk pp...@o2.pl: Hi, 1. Why PF 4.2 not 4.7 or 4.8? OpenBSD page http://www.openbsd.org/faq/pf/index.html has one important remark bolded: In particular, there are significant differences between 4.6 and 4.7. Doeas it mean that I would have to learn something rather old - how to use PF 4.2 instead of PF 4.7/4.8. Right? It's easier (but still very hard) to do incremental updates of PF, than to jump to the most recent version of it. Besides, just think of it. OpenBSD developers themselves, went through all the intermediate versions before landing in 4.8. Hi, Besides, just think of it. As the OpenBSD team ***did*** the work (for others, DF including) why not to jump to the latest version? Is not justified such thinking? 1. They did not do the work for DF nor anyone else. http://www.openbsd.org/papers/asiabsdcon2010_pf/mgp00012.html As the slide says, PF is getting harder and harder to port with increasing version numbers. Probably, due to its tighter integration with the rest of the OS. But also because it contains unreadable code, e.g. http://www.netbsd.org/~rmind/pf.txt . On top of these, we have dfly-specific features, that need to be preserved. So huge-diffs don't quite work. 2. If you go for the latest/greatest and fail, you end up with your ancient PF version. But if you do incremental updates, you mitigate the impact of a potentially unsuccessful port. Also, if you are tired/bored at some point, others have a stepping-stone to continue the effort. I also grab the chance to thank Jan Lentfer in public, for his dedication and hard efforts that yielded excellent results. My God, I only asked why... You are the second person paying tribute to Mr Jan Lentfer publicly for His works taking advantage of my e-mail. Did I say anything belittling His efforts and the results? I thought it was understandable to all that His works are highly appreciated. You are being touchy and sarcastic, but there's no need for either. Regards P.S. Why everybody answers to my account and to the mailing list? I subscribed to the mailing list with provision not to be clobbered with double e-mails. You could have said it at your first email and we wouldn't. Usually, people that subscribe to a mailing list, choose to receive messages in a daily digest or so. In such cases, it's reasonable to CC' them when we reply to their messages. Stathis
Re: 2 questions regarding PF
On Wed, 3 Nov 2010 15:29:34 +0200 Stathis Kamperis ekamp...@gmail.com wrote: (...) Besides, just think of it. As the OpenBSD team ***did*** the work (for others, DF including) why not to jump to the latest version? Is not justified such thinking? 1. They did not do the work for DF nor anyone else. http://www.openbsd.org/papers/asiabsdcon2010_pf/mgp00012.html As the slide says, PF is getting harder and harder to port with increasing version numbers. Probably, due to its tighter integration with the rest of the OS. But also because it contains unreadable code, e.g. http://www.netbsd.org/~rmind/pf.txt . On top of these, we have dfly-specific features, that need to be preserved. So huge-diffs don't quite work. 2. If you go for the latest/greatest and fail, you end up with your ancient PF version. But if you do incremental updates, you mitigate the impact of a potentially unsuccessful port. Also, if you are tired/bored at some point, others have a stepping-stone to continue the effort. Gentlemen, (Messrs. Paul Onyschuk, Stathis Kamperis, Jan Lentfer, et al) I thank you very much for your grass-root insight into PF issue which has a lot of hype attached to it. 1. I understand that someone will put PF 4.2 guide on DF WWW. 2. I understand that PF development will go its old way - better performance AND hectic times for those who dares to integrate latest PF version (from OpenBSD) into other op systems AND the same problem with MP implementation (or lack of). 3. I understand that PF 4.8 is the best from all of its versions - simplified, improved, and optimized. 4. I do know nothing about packet filters future implementations in DF: a) was the PF 4.2 implemented verbatim or was it tighter integrated with DF MP kernel and as such it constitutes new - DF - flavor of PFs? b) will PF presence in DF be continued in the future or will it be supplanted with NPF or other MP aware packet filters? I also grab the chance to thank Jan Lentfer in public, for his dedication and hard efforts that yielded excellent results. My God, I only asked why... You are the second person paying tribute to Mr Jan Lentfer publicly for His works taking advantage of my e-mail. Did I say anything belittling His efforts and the results? I thought it was understandable to all that His works are highly appreciated. You are being touchy and sarcastic, but there's no need for either. I'm sorry, I'll try to keep my rein on my pen (keyboard) more. P.S. Why everybody answers to my account and to the mailing list? I subscribed to the mailing list with provision not to be clobbered with double e-mails. You could have said it at your first email and we wouldn't. Usually, people that subscribe to a mailing list, choose to receive messages in a daily digest or so. In such cases, it's reasonable to CC' them when we reply to their messages. Thanks. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgpiUIHqvkdkG.pgp Description: PGP signature
Re: 2 questions regarding PF
On Wed, 03 Nov 2010 14:16:54 +0100 Jan Lentfer jan.lent...@web.de wrote: I have to say one thing, too: Your demands towards this project in regard to documentation, actuality, features, etc, are pretty high, Should I choose the list common denominator? First of all I said/pointed at that DF lacks PF Guide known from OpenBSD. Yes, my language was demanding the more so DF PF 4.2 is different from PF 4.7+. The MAN page is not enough, some examples like the OpenBSD's Firewall for Home or Small Office would be highly advisable. From my point of view I do not understand why such important part of any today's operating systems is not accompanied with *good* packet filter guide(s). but your contributions are really not seeable. As long as this is the case, it would be very kind of you, if you just formulate your emails a little less demanding. I get the impression that you are trying to goad people involved in this project - on purpose or by weakness of character, I haven't found out yet. Of course I hope my impression is totally wrong and you are just honestly seeking help and just don't hit the right tone. I hope your touchy nature is only a nano speck of your personality. What would I gain being goady and alienating DF teamers? For what? Writing about me in those words you crossed the line of personal smearing. just don't hit the right tone - a worshipper's tone would fit? Kind regards Przemysław Pawełczyk -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgptHGUCkvU0m.pgp Description: PGP signature
Re: 2 questions regarding PF
* Przemys??aw Pawe??czyk wrote: First of all I said/pointed at that DF lacks PF Guide known from OpenBSD. Yes, my language was demanding the more so DF PF 4.2 is different from PF 4.7+. The MAN page is not enough, some examples like the OpenBSD's Firewall for Home or Small Office would be highly advisable. From my point of view I do not understand why such important part of any today's operating systems is not accompanied with *good* packet filter guide(s). Because somebody has to do it! This is an Open Source project, so most of the people do the work in their spare time (and this applies to 99% of the developers in DragonFly). Jan spend a considerable amount of time to port PF and nobody ported the documentation yet. I'm happy to integrate *your* port of the OpenBSD's documentation into our official handbook. Just port it, test it well on DF and send me the files or put it on the website yourself. Cheers Matthias
Re: 2 questions regarding PF
On Wed, 3 Nov 2010 15:21:42 +0100, Przemysław Pawełczyk pp...@o2.pl wrote: 1. I understand that someone will put PF 4.2 guide on DF WWW. You just volunteered? [...] 4. I do know nothing about packet filters future implementations in DF: a) was the PF 4.2 implemented verbatim or was it tighter integrated with DF MP kernel and as such it constitutes new - DF - flavor of PFs? One goal was to minimize the diff to the Original OpenBSD source to ease further imports. As already mentioned fairq and pickups support have been kept intact, OpenBSD doesn't have this, nor does any other BSD (to my knowledge). Oh, and yes, we have SMP-capable socket lookups. Still I wouldn't call it an own flavour of pf, as the goal is the opposite. It's pf with df-specific features. b) will PF presence in DF be continued in the future or will it be supplanted with NPF or other MP aware packet filters? From the look in my crystal ball I can tell you... I don't know, nobody knows, as this is all depending on finding individuals willing to invest their spare time. It is not possible to set up a 3-year roadmap as there are no plannable ressources in such a project. I can tell you that my personal goal is to reach version equality with OpenBSD and stay up-to-date from there on, but this is not a promise nor an obligation on my side. If NPF is production ready, I am quite sure I will take a look, too. Jan -- professional: http://www.oscar-consult.de private: http://neslonek.homeunix.org/drupal/
Re: 2 questions regarding PF
On Wed, 03 Nov 2010 15:56:42 +0100 Jan Lentfer jan.lent...@web.de wrote: On Wed, 3 Nov 2010 15:21:42 +0100, Przemysław Pawełczyk pp...@o2.pl wrote: 1. I understand that someone will put PF 4.2 guide on DF WWW. You just volunteered? Nope. :-( I answered why privately to one of the Mail List recepients: -- Why not provide some patches to provide the documents instead of just making suggestions. Because such document needs correction and adjustment, and those demand more knowledge than I have. I hoped that finding omissions, not only bugs, contributes to DF development too. -- (...) For the remaining answers simply - thank you. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgpaleWb4BbK1.pgp Description: PGP signature
Re: 2 questions regarding PF
On Wed, Nov 3, 2010 at 6:46 PM, Jan Lentfer jan.lent...@web.de wrote: if you just formulate your emails a little less demanding. I get the impression that you are trying to goad people involved in this project - on purpose or by weakness of character, I haven't found out yet. Of course I hope my impression is totally wrong and you are just honestly seeking help and just don't hit the right tone. I think he is pretty clueless regarding programming and of the effect of changes on subsystems like me. Reminds me of the many emails I used to write to OpenBSD-misc in my early days and you know ;-) thanks and regards --Siju
2 questions regarding PF
Hi, 1. Why PF 4.2 not 4.7 or 4.8? OpenBSD page http://www.openbsd.org/faq/pf/index.html has one important remark bolded: In particular, there are significant differences between 4.6 and 4.7. Doeas it mean that I would have to learn something rather old - how to use PF 4.2 instead of PF 4.7/4.8. Right? 2. But support for the PF 4.2 is sorta soft (weak), as well. I wasn't able to find PF 4.2 doc files on DF BSD WWW. I'd like to see them in the form of OpenBSD's PF: The OpenBSD Packet Filter (http://www.openbsd.org/faq/pf/index.html) I think that the pf.conf man should contain version number (4.2) within the head of the file too. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgpkxLw0lB5TH.pgp Description: PGP signature
Re: 2 questions regarding PF
On Tue, November 2, 2010 7:28 pm, PrzemysÅaw PaweÅczyk wrote: Hi, 1. Why PF 4.2 not 4.7 or 4.8? OpenBSD page http://www.openbsd.org/faq/pf/index.html has one important remark bolded: In particular, there are significant differences between 4.6 and 4.7. Doeas it mean that I would have to learn something rather old - how to use PF 4.2 instead of PF 4.7/4.8. Right? Jan Lentfer has been working on upgrading pf - he's gotten us to the present state with a good deal of effort, so I anticipate pf will soon match the released version. I'm not defining soon that exactly. 2. But support for the PF 4.2 is sorta soft (weak), as well. I wasn't able to find PF 4.2 doc files on DF BSD WWW. I'd like to see them in the form of OpenBSD's PF: The OpenBSD Packet Filter (http://www.openbsd.org/faq/pf/index.html) Why not read that instead? It's right from the source.
Re: 2 questions regarding PF
On Tue, 2 Nov 2010 19:37:32 -0400 Justin C. Sherrill jus...@shiningsilence.com wrote: 2. But support for the PF 4.2 is sorta soft (weak), as well. I wasn't able to find PF 4.2 doc files on DF BSD WWW. I'd like to see them in the form of OpenBSD's PF: The OpenBSD Packet Filter (http://www.openbsd.org/faq/pf/index.html) Why not read that instead? It's right from the source. Yes, I did. :-) But as I said - there are dicrepencies - how big? Where? On the other hand DF should provide good documentation on PF issues. Better than now. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgp58wiouv4Y5.pgp Description: PGP signature
Re: 2 questions regarding PF
2010/11/3 Przemysław Pawełczyk pp...@o2.pl: On Tue, 2 Nov 2010 19:37:32 -0400 Justin C. Sherrill jus...@shiningsilence.com wrote: 2. But support for the PF 4.2 is sorta soft (weak), as well. I wasn't able to find PF 4.2 doc files on DF BSD WWW. I'd like to see them in the form of OpenBSD's PF: The OpenBSD Packet Filter (http://www.openbsd.org/faq/pf/index.html) Why not read that instead? It's right from the source. Because it's valid only for actual release which is 4.8 right now Yes, I did. :-) But as I said - there are dicrepencies - how big? Where? On the other hand DF should provide good documentation on PF issues. Better than now. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl
Re: 2 questions regarding PF
2010/11/3 Przemysław Pawełczyk pp...@o2.pl: Yes, I did. :-) But as I said - there are dicrepencies - how big? Where? The rule set changes are major. On the other hand DF should provide good documentation on PF issues. Better than now. you can get 4.2 doc or any older doc from the CVS WEB http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/ hope this helps :-) --Siju
Re: 2 questions regarding PF
2010/11/3 Siju George sgeorge...@gmail.com: you can get 4.2 doc or any older doc from the CVS WEB http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/ http://web.archive.org/web/*/http://www.openbsd.org/faq/pf/ might be better :-) --Siju
Re: 2 questions regarding PF
On Wed, 3 Nov 2010 07:25:13 +0530 Siju George sgeorge...@gmail.com wrote: 2010/11/3 Siju George sgeorge...@gmail.com: you can get 4.2 doc or any older doc from the CVS WEB http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/ http://web.archive.org/web/*/http://www.openbsd.org/faq/pf/ might be better :-) Thanks. http://web.archive.org/web/20080203095155/http://www.openbsd.org/faq/pf/ To be exact. :-) And that is the PF doc which should be put on DF doc pages. Regards -- Przemysław Pawełczyk (P2O2) [pron. Pshemislav Paveltchick] http://pp.blast.pl, pp...@o2.pl pgpZLidPXuQrE.pgp Description: PGP signature
