Will be similar sync mechanism like a pfsync in PF?

R

RusDyr

Hello all.

Does anybody know, are there any plans to implement something "ipfwsync" like it already has for PF? For our carrier-grade NAT we are currently using PF, but I want to migrate to ipfw with its [kernel] NAT or even better, to ng_nat + ng_ipfw. We can't do it unless NAT will be fault-tolerant - which it is currently on pfsync. And the absent of "ipfwsync" or, better, netgraph's libalias sync really stop us (and not only us, actually).

The last choice is Linux with its conntrackd daemon, but I really like FreeBSD.
 
You're already using in-kernel NAT with PF. And it's working for you across multiple systems, with failover via CARP. So ... why do you want to change? What features, exactly, are you missing in PF that you think you will get with IPFW?

And if you want performance (hence the use of in-kernel NAT), why would you want to switch to NetGraph? NetGraph was designed from the get-go to be a prototyping framework; it's anything but high-performance.

So, again, why would you want to go from a high-performance, fault-tolerant, working solution, to an un-tested, low-performance, non-fault-tolerant setup?
 
  1. PF is single-threaded. It's a bottleneck on high load.
  2. CARP is far from ideal in FreeBSD (and that's why glebius decide to rewrite it completely), so we don't use it at all (only pfsync).
  3. Customer's traffice shaping have done via ipfw's dummynet. It's nonsense to have a two firewalls simultaneously (ipfw for dummynet and PF for NAT and pfsync). There is a patch for PF (thanks, Ermal Luçy!) which add ability to work with dummynet, but it's in PfSense only...
  4. I don't know why do you decide what netgraph doesn't ready for high-perfomance. It works in kernel space and, at the end, it just works in many productions. I.e. we had a bunch of mpd5 PPTP servers, they hardly use netgraph: ng_mpcc, ng_car, ng_ether, ng_socket etc, also we using ng_netflow and ng_nat(at some servers) now and haven't got any problem yet.

So I'm still believe (and insist on ;)) that ipfw + dummynet + netgraph should be really nice solution in case of similar states synchronization mechanism for ipfw will appear.

Who wants to get grant? ;-) I'll try to urge my company to fund it.
 
You must log in or register to reply here.
Back
Top