[CFT] Major pfsync(4) Rewrite on the Horizon
by from OpenBSD Journal on (#6CB7H)
A major rewrite of pfsync(4), the state table synchronization tool for redundant pf(4) setups is in the works.
In a recent message to tech@, David Gwynne (dlg@) describes the multi-year process behind the diff contained in the message,
moving pf forward has been a real struggle, and pfsync has been aconstant source of pain. we have been papering over the problemsfor a while now, but it reached the point that it needed a fundamentalrestructure, which is what this diff is.i started rewriting pfsync (again) during h2k22 last year, and it'sonly been in the last couple of months that i got all the existingfunctionality working again, and it's only been the last three weeks inparticular that it's been solid. this is the first time since aboutopenbsd 6.9 that i've been able to upgrade my production firewallswithout them falling over.
which means there may still be rough edges, but testing by brave souls is encouraged. There are huge potential performance gains to be found if this works out right.
You can read the entire message (with the diff) here, or just take in the rest of the text after the fold.