Re: Future of pf / firewall in FreeBSD ? - does it have one ?

  Yet another top reply to everyone.

  If anyone is interested in maintaining our FreeBSD version of pf
and taking strategically right (my opinion!) steps in its life, here
is a short TODO list:

1) Make Peter and FreeBSD cluster happy. Work on the IPv6 fragments
handling. IMHO, the right way would be understanding the problem
in its depth and writing code yourself taking ideas or code snippets
from OpenBSD. Do not try blindly to replay all their commits over our tree.

2) Do massive API/ABI cleanup. I had started the process, but did
less than 10% of it. We need to stop sharing structures between
pf internals and ioctls. All kernel structures should live in pfvar.h,
and all API in pf.h. The userland utilities should forget pfvar.h.
This is huge task. No performance benefit, no new shiny features.
But this is strategically correct, if we want a good support of pf
in stable branches. Right now we can't merge any feature back due
to breaking ABI. Even fixing bugs usually would require ABI breakage.
Also, after completing the cleanup and header split further development
would become easier.

3) Right now the hot point of contention is the pf_rules_rwlock. It
is reader-vs-reader contention on the cache line. Eliminating it
would bring a good performance gain on SMP. This would probably
require an RCU-like management of rules. Fortunately, the rules
in pf a changed in "one commit", unlike in ipfw rule by rule.

4) Convert all counters in pf to counter(9). That would be next
point of contention once 3) is done.

*) Cherry pick any feature you need from OpenBSD. This requires
understanding code. Replaying commits won't work.

P.S. I'm sorry for saying what should be done without doing that
myself. I've spent quite a lot of time on pf, I was promised funding
for that and later deceived. Real life changes like new job, children,
etc. shifted my focus away from pf and I simply can't dedicate the
amount of time to pf that I used before.

-- 
Totus tuus, Glebius.