
Solaris adopting OpenBSD's pf - mfincham
http://bsdly.blogspot.com/2015/04/solaris-admins-for-glimpse-of-your.html
======
SwellJoe
"Perhaps due to Oracle's practice of putting beta testers under non-disclosure
agreements, or possibly because essentially no tech journalists ever read
OpenBSD developer-focused mailing lists, Oracle's PF plans have not generated
much attention in the press."

Or, perhaps it's because Solaris doesn't matter to anyone anymore.

I just spent a week, or so, updating our installer for Solaris, which is the
first time I've spent any time on Solaris in a long while. I was surprised by
how far behind _everything_ is, and how difficult it is to find people
actually doing things with Solaris, anymore.

The CSW and spec-files-extra, repositories are all but unmaintained and have
been for years, and thus includes packages that are insecure by default. Sun
Freeware is now a commercial service, that is expensive enough for me to
assume they only have a few hundred users (tops). Installing anything beyond a
bare bones AMP stack is an exercise in frustration unlike anything I've ever
seen (and I've been messing with UNIX and Linux systems for 20+ years).

Solaris 11 currently has outdated everything. The Open Source community that
had sprung up around Solaris during the early OpenSolaris years has fled to
Illumos-based distributions (or to Linux or the BSDs, I guess; they certainly
aren't working on Solaris, anymore), none of which have the resources to even
compete with a modern Linux or even the BSDs in terms of number of people
working on making it nice, modern, and easy to deploy.

In short, Solaris is a wasteland. Oracle seems to just be milking the
remaining corporate users until the cash cow falls over dead.

~~~
digi_owl
Puts the activity out of Red Hat in perspective.

Used to be that if you wanted a desktop *nix you grabbed a Solaris box. Now i
think it is more and more RHEL that is filling that niche (Apple's shenanigans
may work in academia and media production, but it will not fly in
corporate/government circles).

these will be "interesting" times...

~~~
JoachimS
OSX only in academia or media?!

We probably live in different multiverse universes. Where I am, OSX has really
become the OS of choice by people doing tech work in industry/enterprise. I
see glowing apples everywhere.

The Apple in academia, media meme feels like a Rick Astley video on repeat
decade after decade.

~~~
PhantomGremlin
OSX is popular in the tech industry _despite_ Apple, not because of Apple.
Microsoft knows how to support businesses, Apple ... not so much.

~~~
ma2rten
I see what you mean, but on the other hand Apple does have a big advantage,
because their system is so homogenous. It's every easy for IT to support a
fleet of macbooks.

~~~
kjs3
You have very, very clearly never tried to support a fleet of macbooks in a
corporate IT environment.

------
walterbell
Oct 2014 thread on FreeBSD-based pfSense fork of OpenBSD pf,
[https://forum.pfsense.org/index.php?topic=83075.0](https://forum.pfsense.org/index.php?topic=83075.0)

 _" 2.2 should prove to be significantly more scalable than OpenBSD, since we
have SMP-capable pf now, which isn't doable in OpenBSD (and will likely be a
number of years until it is). Plus AES-NI, more coming soon.
[https://blog.pfsense.org/?p=1473](https://blog.pfsense.org/?p=1473)

Bug fixes are brought over into FreeBSD from OpenBSD as needed (sometimes by
us, sometimes by others), though FreeBSD pf is essentially a fork at this
point since making it SMP-capable changed things significantly. It's mostly
separately-maintained at this point."_

~~~
gonzo
More recent thread:

[http://lists.pfsense.org/pipermail/list/2015-April/008610.ht...](http://lists.pfsense.org/pipermail/list/2015-April/008610.html)
[http://lists.pfsense.org/pipermail/list/2015-April/008611.ht...](http://lists.pfsense.org/pipermail/list/2015-April/008611.html)
[http://lists.pfsense.org/pipermail/list/2015-April/008614.ht...](http://lists.pfsense.org/pipermail/list/2015-April/008614.html)

I'm a co-author on the mentioned paper, and the author of the second post.
Edit: and author of the linked blog post above.

------
PhantomGremlin
The blog says:

    
    
       possibly because essentially no tech journalists
       ever read OpenBSD developer-focused mailing lists,
       Oracle's PF plans have not generated much
       attention in the press
    

But that glosses over the obscurity of the mailing list post. I skim the
OpenBSD tech list, and I also overlooked this post. Why? Here's the title:

    
    
       pfi_kif leaks for PBR rules
    

That doesn't scream "read me" to casual observers, does it?

As for support for the "reveal" in the title, the mailing list post goes on to
say:

    
    
       also for your info: IPF in Solaris is on its
       death row. PF in 11.3 release will be available
       as optional firewall. We hope to make PF default
       (and only firewall) in Solaris 12. You've made
       excellent job, your PF is crystal-clear design.
    

The IPF packet filter currently in Solaris was originally also in OpenBSD. It
was replaced by pf in 2001 after the IPF author started playing games with the
copyright.

------
tomglindmeier
That just underlines the amazing work the OpenBSD guys are doing. In the end
quality wins. I hope OpenBSD gets more and more adoption in the industry.

------
talideon
IIRC, there's work going on in FreeBSD port its multithreading patches up to
the latest version of pf. Hopefully the extra resources brought by Solaris
using pf will help make that a reality.

~~~
gonzo
No, there isn't.

The pf in FreeBSD has forked away.

The much ranted about "performance improvement" in OpenBSD's pf isn't an issue
on FreeBSD.

[http://lists.pfsense.org/pipermail/list/2015-April/008611.ht...](http://lists.pfsense.org/pipermail/list/2015-April/008611.html)

~~~
talideon
Well, I guess all that talk on the BSD Now podcast a few weeks ago was
nonsense then? I'll go back listen to them again and pick out the episode
along with a timestamp, if you'd like.

Anyhow, I'm not referring to the OpenBSD performance improvements being a
reason to port it over. You're right: it isn't an issue for FreeBSD. However,
it benefits FreeBSD if the version of pf used is simply OpenBSD pf with SMP
support and a few other bits because that means that means less stuff to
maintain.

~~~
detaro
If they really have diverged that much, the effort to merge them (if even
possible from an architectural point of view) gets you a lot of maintenance on
both sides.

(Not to talk of the personal issues that obviously exist)

------
cnst
Only took some one year for people to notice...

[http://marc.info/?l=openbsd-
tech&m=140335809432589&w=2](http://marc.info/?l=openbsd-
tech&m=140335809432589&w=2)

------
gonzo
OpenBSD dev spams us to buy his book, attend his tutorial on pf at BSDcan, and
buy OpenBSD CD-ROM sets.

Why is this on HN? Why not a link to the original announcement?

~~~
rtendro
Peter is not an OpenBSD developer, not that it matters.. you take every
opportunity to take a jab at OpenBSD, even though you profit from it in
pfsense.

~~~
feld
No, he profits from FreeBSD's fork of pf which is faster than OpenBSD's. These
pf versions are diverging a lot; they should be considered separate projects
much like how OpenBSD and FreeBSD have similar ancestry but aren't the same
OS.

