Author:
Source
A major rewrite of pfsync(4), the state table synchronization tool for redundant pf(4) setups is in the works.
In a recent message to tech@, David Gwynne (dlg@) describes the multi-year process behind the diff contained in the message,
moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. i started rewriting pfsync (again) during h2k22 last year, and it's only been in the last couple of months that i got all the existing functionality working again, and it's only been the last three weeks in particular that it's been solid. this is the first time since about openbsd 6.9 that i've been able to upgrade my production firewalls without them falling over.
which means there may still be rough edges, but testing by brave souls is encouraged. There are huge potential performance gains to be found if this works out right.
You can read the entire message (with the diff) here, or just take in the rest of the text after the fold.
