OpenBSD Journal

mainstreaming pf - KAME imports sources

Contributed by jose on from the possible-improvements-for-pf dept.

PF is being considered for inclusion in the KAME sources. KAME is the group that builds a lot of IPsec and IPv6 BSD code, and several developers work on the BSD projects directly (including OpenBSD). As tom hensel points out: " google groups archive "

The possibilities with tighter IPsec integration are interesting, and it will be interesting to see if PF gets included here and what new features and improvements get pulled in.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Clearly this has cheesed off Darren Reed (ipf). I'm sure many people are wondering if his opinion is genuine, or motivated by pf bitterness....

    Comments
    1. By Anonymous Coward () on

      In fact its not just Darren and ipf. OpenBSD hostility just seems to ooze through the thread once the surface is scratched -- Ouch! Itojun treads dangerous ground.

    2. By Matt () on

      I was thinking the same thing.

      Darren has such a reputation for being a troll that it's hard to take him seriously when he may have a valid point. Too much integration can be a bad thing (think Windows and internet explorer) but i'm not about to tell the pf dev team they don't know what they're doing. I'm sure they've weighed the pros and cons of tieing the two software packages so closely together.

    3. By Jadipai () on

      I don't think he should be "cheesed of" (I don't know if he is), because ipf stays in NetBSD when new PF and new ALTQ comes. Also in the thread some person suggests making hooks for ipf in ALTQ so that he could also make ALTQ integration like PF does. Well, this way or that way, I can't wait to have PF in NetBSD.

    4. By krh () on

      Well, having watched Darren for a long time, and having even spoken privately to him once or twice, I'm sure that politics is at least in the back of his mind. You might consider that a strike against him, but so long as he brings up serious arguments (which he has done) I don't think it's a problem.

      If you really want to pick on him, you can find better examples. :-)

      Comments
      1. By Anonymous Coward () on

        Oh come on.
        As we didn't understood that he was afraid to see another filter on netbsd.
        His ipf has been removed from OpenBSD and is competing with ipfw on FreeBSD.
        He just try to keep some places where ipf is still safe from competitors.

    5. By Anonymous Coward () on

      One petty argument after another. It's a wonder both projects are accomplishing anything.

    6. By Anonymous Coward () on

      I've seen this thread a while ago while it was still busy. I've been following it in these days and tried to analyse the whole thing.

      Point is that Darren does bring some valid points. However he is not non-biased. Rather a lot biased. His flame that PF is not mature should not be responsed to. It's common bullshit.

      I see no point in giving NetBSD users NOT the choice by default between PF and IPF. We're not talking about default here, the user has the power to chose one of the 2 default packet filters.

  2. By scot bontrager () junkmail@maps-on.indievisible.org on mailto:junkmail@maps-on.indievisible.org

    After reading 107 messages in that thread... itojun is one brave guy for being in "both camps."

    The idea of using pf as the IPSec classifier rocks as much as using it as the ALTQ classifier. It's a shame that people are resiting it because it's "from openbsd" and that people refuse to let go of a dead system simply because changing scares them.

    IIRC OpenBSD doesn't use KAME for IPSec. Am I right in this? Will this integration even do anything for us?

    Comments
    1. By Anonymous Coward () on

      A lot of the resistence just seems to just be reflexive Theo hatred. After all, it is a BSD license -- NetBSD and KAME can fork pf if they really feel shut out of the process.

      I am curious though. Do good developers *really* get kicked out of the OpenBSD developers circle just for being associated with NetBSD, or friends with NetBSD developers? That would be pretty ridiculous if it were true. I like to think Theo is a much better project leader than that....(and it seems there must be more to the stories of people being 'kicked out' just for associations with NetBSD, since itojun is now NetBSD core after all!).

      Comments
      1. By grey () on

        You seem a little confused - itojun is a developer for KAME, NetBSD, OpenBSD (and more), since he's the one working on bringing pf to NetBSD, I don't see why he would feel shut out of the process or fork pf into something else altogether.

        Your second paragraph seem even more misguided. While there is a bit of political history between OpenBSD & NetBSD (e.g. http://zeus.theos.com/deraadt/coremail.html), that tends to have been primarily between Theo & members of NetBSD's core@. For those wanting the executive summary, essentially Theo forked OpenBSD from NetBSD because once he was ousted from NetBSD's core, he was unable to even gain back commit access to incorporate changes he had made. If memory serves, the "open" portion of "OpenBSD" was initially intended to reflect the open attitude towards development that OpenBSD was to have.

        At least within the camp of OpenBSD developers, I don't think I've seen much in the way of castigation because developers have been members of other development projects (NetBSD notwithstanding). Most hearsay I have heard about OpenBSD developers having commit access removed has been directly related to their actions (or more often inactions [i.e. they haven't committed in ages and so commit access is put on hold until they start hacking again]) as related to OpenBSD. Work developers provide on other projects I think would rarely be factored into their position with OpenBSD, unless it was somehow in conflict with OpenBSD goals, though I'm just an avid user, I still can't think of any real instances of what you're alleging.

        I'm really not sure where you've heard these stories of OpenBSD developers being kicked out of OpenBSD due to NetBSD associations, or towards whom they reference. The closest things that come to mind would be Theo getting kicked out from NetBSD itself... or _maybe_ Niels Provos joining up with NetBSD -after- losing commit access to OpenBSD. Maybe you, or others could actually point out some instances of what you seem to be claiming, I sure can't think of anything though.

        Comments
        1. By Anonymous Coward () on

          Read the thread linked from the story. The poster wasn't making any accusations - just raising questions about accusations that were being thrown back in forth in the thread.

        2. By MotleyFool () motlefool@dieselrepower.org on mailto:motlefool@dieselrepower.org

          >_maybe_ Niels Provos joining up with NetBSD -after- losing commit access to OpenBSD.

          I always wondered what really happened behind this, however it seemed to be a private matter that didn't make it out onto the lists.

        3. By grey () on

          OK, I see what you're saying now - I had to dig deeper into that thread than before when I first read the start regarding pf+KAME. The first twenty or so posts yesterday seemed mostly concerned with Darren vs. Kenjiro & Itojun banter more related to altq's preferential approach to pf and kind of bored me after a while.

          With respect to some of the stuff that der Mouse, Thor & others went on about. I (and probably most other observers I'd guess) can't really say one way or another how accurate the claims are having not been involved in their dealings. Seems to be very politically charged though, and since we don't have the other side of the story (namely Theo's, being the theocracy/openbsd 'benevolent dictator') it's hard to speculate on things other than how they're represented there. Thor's comments in particular are the most intriguing, but by the same token - they do not seem to be all that objective. There's no coremail file to scrutinize publically either. :-/

          One mention much later in the thread regarding a number of people in A2 losing commit access, there has been more a little more public discussion about to substantiate, but not much.

          and with that segue...

          MotleyFool: wrt to Niels in particular, from my understanding the situation was kept pretty private, so some other folks could probably shed more light if it's something that they feel needs more attention. The most public piece of evidence from which to draw conclusions surrounds a security advisory put out Summer of '02 that Provos had worked on. After that it's all internal machinations and speculation, since you can see no further commits - and some time later Niels contributing a bit to NetBSD.

          That KAME thread really did turn into something wholeheartedly different than how it began. I wonder how much time has been wasted by itojun & Darren (and others) that could have been spent in a productive manner instead.

          Comments
          1. By Anonymous Coward () on

            yeah, im wondering why darren didnt send itojun a diff :)

            Comments
            1. By Anonymous Coward () on

              darren doesn't need to diff, he automagically writes inherently perfect code just by talking about it ;)

    2. By tony () figment@of.your.imagination on mailto:figment@of.your.imagination

      I was just getting started with OpenBSD when "ipf" was pulled and due to some time contraints I never ran an OpenBSD firewall using "ipf". When I finally had the time to deploy a firewall I had OpenBSD 3.1 and just used "pf". Can anyone who has experience with both tell me if "pf" is functionality equivalent to "ipf"?

      I missed getting OpenBSD 3.2 installed and so when I upgraded I went from 3.1 to 3.3 and I was amazed at the new things "pf" supports. I admit I didn't at first know why "ipf" was removed from OpenBSD so I had to do some Google searches to see what the deal was. After reading what happened and the licensing change that Darren made it was the right thing to remove the code. The license change appears to violate on of the core goals of the OpenBSD which is to ensure all of the code in OpenBSD is free.

      Comments
      1. By Anonymous Coward () on

        Actually pf is now more than just 'functionally equivalent' to ipf. In many ways, it has surpassed ipf ...

        Comments
        1. By Wraith () on

          I'll second that. When ipf was first removed and pf was brought in I was very nervous. I felt comfortable with ipf. I had used it for over a year. I started playing with pf and fell in love. I feel the syntax is easier, and the firewall is much more stable. Now I'm glad Darren changed his license, I think OpenBSD is better off. I want to thank everyone involved in the pf and OpenBSD projects for their hard work and dedication.

    3. By Anonymous Coward () on

      Wish a more serious fight would break out over OpenSSL :)

    4. By Anonymous Coward () on

      ...and gcc, come to think of it.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]