OpenBSD gets brand-new packet filter

Anon wrote: OpenBSD has started getting a new packet filter, pf, written largely by Daniel Hartmeier. The commits have been flying since then, but it looks like the new filter is going to be ipf-compatible as well as BSD licensed.

Re:Best luck!

[Anonymous Coward]

I just hope that unlike OpenSSH they won't make two versions - native and portable.

This is even more likely than it was with OpenSSH - think about it, ssh is just userland - packet filtering requires some sort of kernel intervention.

Re:*BSD is dying

[Anonymous Coward]

Let's also not forget that the majority of Linux code is STILL based on (old) *BSD code.

Uhm - no. Linux and BSD share some utilities (courtesy of the GNU foundation). As for wholesale use of BSD code - no. The surly BSD cliche back when Linux was just starting to come together would have thrown a royal hissy fit.

Re:*BSD is dying

[Anonymous Coward]

Same here, sorta. I'm upgrading/migrating quite a few clients of mine from Linux to FreeBSD, OpenBSD and NetBSD where applicable...
Tried of all those various distro's out there that are becoming unmanagable because they're all different, Caldera and RedHat going completely commercial similar to the way M$ did. Well, that's one reason I moved away from M$,the greed they have and now commercialized Linux distro companies are doing the same! I'm jumping off boat now.
Sorry RH, Caldera, etc... You guys always sucked anyways... And as for Slackware, atleast for them it's not about 'money' so they have my upmost respect and support the same as the (free)*BSD's.

Re:overblown

[Anonymous Coward]

Unfortunately, if you look at the letter of the licensing agreement (its exact wording), the modified BSD license (for those that don't know, is the original BSD license minus the advertising clause) clearly does not give the right to copy to anyone. Under US copyright law (although most countries have similar laws thanks to the Berne agreement), the right to copy the software was not handed over.

Redistribution means the right to distribute again, iow, pass your copy to another person (as in letting a friend borrow a book). It does not give you the right to copy the original work which you downloaded (as in letter a friend copy the copy of your book).

btw, the term "use" has a legal definition which clearly does not cover the right to modify or copy (if it did, the original IPF problem wouldn't have come up).

I don't think the U of Berkeley Trustees realize this. I also don't think they would really care either since they are well aware of the various BSD distributions based on their released code.

On a slightly different note, I've always wondered how the GPL and BSD groups who subsequently change their license (e.g. the various versions of the GPL, when the BSD license got its advertising clause removed) make those changes retroactively. When a person submits *substatial* code under an earlier GPL version, they are putting a license on it. They also, however, retain their rights to that code, even if given to a project.[1] I've never understood how a project can then take that code and roll it into another license without contacting the original code submitters to get their permission to reuse their code.

[1] Please don't tell me that by giving up their code, they gave up their rights to it. This is not obviously the case. If it were, the US copyright code would not have had to be modified to explicitly note that individuals working for a company gives up that code to that company. (And to further note, that loophole does not apply to open source projects--they are not companies are pay people for their code).

Re:Commit?

[bwulf]

% cvs commit

i.e., to commit a change from your local sources to the central CVS repository.

A committer, thus, is one who has write-access to a given repository.

Re:Commit?

[bwulf]

hmm, didn't get the "Comet"-reference :)

(and yes, commit, v. is a word; try dict.org :)

Re:This is my first humble attempt ...

[dmiller]

That right, the author should have said that it is complete and bug free - then it would surely be acceptable! After all, free software projects are always born whole.

Re:overblown

[Trepidity]

1. Allowing redistribution in binary form is already allowing derivative works - the original is distributed only in source form.

That to me is a reason to read the license as *not* allowing derivative works. If it allowed derivative works in general, there would be no reason to grant permission to distribute one particular class of derivative works (binaries). But since it explicitly does grant such permission, one might assume that any other derivative works for which such permission was not granted remain disallowed.

Re:Best luck!

[danimal]

I just hope that unlike OpenSSH they won't make two versions - native and portable.

There are only 2 versions for portability reasons. The portable version is pulled from the OpenBSD CVS tree and modified slightly so it complies on other UNIX platforms with those things it needs from the OpenBSD libc (things that don't exist or don't work the same in other unicies).

I doubt you would want to try to checkout the source tree for OpenSSH and then try to figure out what files are needed to make all routines/syscalls work.

-danimal

Re:Great!

[RelliK]

Any bets on what the will call it for version 2.6 and will it handle stateful inspection?

My guess is they will call it netfilter and it already handles stateful inspection. Oh btw, intead of posting FUD, would you care to point out what your grief with netfilter is?
___

license change and free code

[RelliK]

Did OpenBSD folks base it on the free ipf code that was available before the license change? A license change cannot be retroactive, so the free ipf code cannot be un-released. Therefore, OpenBSD could just take the latest free code and continue from there. Why reinvent the wheel? Or am I missing something?
___

clarification my ass

[RelliK]

The original license permitted the use of ipf "in binary and in source". I don't see how you can "clarify" that by later stating "yes, it means that modification is not allowed". How else do you use something in source?
___

Re:Great!

[otis wildflower]

yo, did you read the line below that one?

top or vmstat differentiates between user, system and idle.

top also breaks out on iowait.

Assholes.
Your Working Boy,
- Otis (GAIM: OtisWild)

Re:Great!

[otis wildflower]

Give it another week and it will probably be alot faster, better and more feature complete than that pile of crap that we refer to as netfilter.

That's funny, I've got a netfilter box hosting 4 IPSec tunnels as well as firewall duties for a 2mbps link, 256MB RAM on a Duron 750. Guess what my load is?

0.00 0.00 0.00

I have never seen it peak above 3% total utilization, even when maxing out data transfers on the 3DES/MD5 links.

Even if we bump our pipe to 10mbps, I doubt I'll have much to worry about.

btw, I've run about 500-600 simultaneous tracked connections (wc -l /proc/net/ip_conntrack) without even breaking a sweat. I could not possibly have bought a cheaper AMD system than I did (the box is assembled from parts and configured to boot off of mirrored 4.3GB HDDs), and it is STILL overpowered.


Your Working Boy,
- Otis (GAIM: OtisWild)

T-Rex vs. open source?

[jlv]

T-Rex's web page declares Open Source Firewall, but their FAQ says:

Q: Where is the source code for version2?

A: Contractual obligations prohibit us from releasing the source code at this time. However, we did not want to delay the release of Version2 any longer.

Re:overblown

[Ed Avis]

Exactly the same licence problem occurred with Pine; their FAQ says [washington.edu]:

10.2 Weren't earlier Pine licenses less restrictive regarding redistribution of modified versions?

No. License wording has changed from time to time, but the owner's intent has not. When it was discovered that some individuals were misinterpreting the intent of the University, the license wording was clarified.

In particular, the earliest Pine licenses included the words: "Permission to use, copy, modify, and distribute this software... is hereby granted," but some people tried to pervert the meaning of that sentence to define "this software" to include derivative works of "this software". The intent has always been that you can re-distribute the UW distribution, but if you modify it, you have created a derivative work and must ask permission to redistribute it. There has never been implicit or explicit permission given to redistribute modified or derivative versions without permission. The license wording was therefore changed to clarify this point.

What worries me is that there are many other 'free software' projects using a licence worded like this, and until now I'd automatically assumed it was equivalent to the BSD or X11 licences.

Someone from each of the *BSDs and from each Linux distribution needs to grep through the COPYING files for occurrences of the above text, or text like it, and ask the author for clarification. It would be best to get rid of this permission notice altogether, and change to something less ambiguous.

Re:*BSD is dying

[benedict]

This is so full of misinformation, I hardly know where to start.

Walnut Creek's relationship with FreeBSD was taken over by BSDi and now by Wind River.

FreeBSD's plans for fine-grained SMP go back before the BSDi relationship. BSDi ideas have been used to expedite the development process, but BSDi code is not being used wholesale.

I don't think very much of Linux comes from BSD any more.

I don't think there's a true sentence in your post, except for the first one.

--

!= T-Rex (was: Re:overblown)

[yabHuj]

T-Rex (according to the docs I gobbled) is a set of specifically configured proxies, notably Squid. This is definitely not comparable to a packet filter as PF, IPF (both *BSD) or IPchains, IPtable (both Linux).

Re:overblown

[Nickus]

IPF is still included in the 2.9 release but will be removed in future releases. This is because there is a bit difficult to remove the IPF package from all cd's already manufactured.

Re:overblown

[Col. Klink (retired)]

If you can't modify it, then you can't take out the name of the original author or "this notice". Since he insisted that "due credit [be] given to the original author," it seems to imply that he wanted to make sure that, when you modified it, you left his name there.

By explicitly limiting what you could change ("this notice" and "due credit"), he was implicitly allowing other modifications.

Re:Great !!!!

[Sloppy]

The challenge is : will they be able to complete pf for that date ?

Unfortunately, the real question is: Do you want to run a firewall that is only 6 months old?

OpenBSD's great "selling point" is that it has a reputation for being very debugged (under the pretense of security).

---

Re:Yes they did

[flimflam]

D'oh! Sorry, I read too fast. My bad.

Yes they did

[flimflam]

Uh, they didn't reimplement it.

They took the latest decently licensed version
and improved it from there.

I think you're wrong about that. Since supposedly the license was never changed, only "clarified", there never was a "decently licensed version" to start from.

At any rate, from the comment on the initial CVS checkin:

Initial import of pf, an all-new ipf-compatable packet filter.
Insane amounts of work done my dhartmei. Great work!

which certainly makes it seem likes it's starting from scratch.

Here's the URL with details

[Therin]

Look here [benzedrine.cx] for details about pf.

Re:Great !!!!

[IcePic]

Another thing here is that OpenBSD didn't just
consider this from one perspective (the single user)
but also from companies and other organizations
that might use ipf with local modifications.
The goal is to have something that can be used,
modified and redistributed again, without you
having to read every source looking for licenses.

With the Net/FreeBSD going by some (IMHO) weird
middleway option that somewhat goes like:
"We can use it since Darren says so" you end up
in a strange position if you use the otherwise
free OSes but have to exclude ipf in case you
modified it ever so slightly.

Also, you can't do a "Theo" and fork off Free or
NetBSD and make it MyBSD+ipf. Or rather, if you
do, you can't patch ipf. It's weird having an OS
with a kernel that allows you to change 99% of it
but not all, isn't it?

Re:*BSD is dying

[ce25254]

I am in the process of switching my (few) Linux boxen to NetBSD.

Why?

Because of Mac OS X.

Re:Commit?

[Eidolon]

Don't they have humor in Denmark? :-)

Thanks for the straight-faced definition. I'm not totally convinced it's a word, but I have heard this usage before.

Re:overblown

[Fruit]

T-rex isn't even DFSG compliant. Actually, a brief glance suggests that its "LPL" license is just as restrictive as the ipfilter license.

Re:overblown

[mpe]

Under US copyright law (although most countries have similar laws thanks to the Berne agreement), the right to copy the software was not handed over.

However issues of copyright ownership on "derived works" do depend very much on local copyright laws. If could just as eaily be "you own copyright on your bits, I own copyright on my bits" or even "I modified it and own all the modified version". (Indeed the US "original author owns all" probably wouldn't exist if US copyright law hadn't started out as being short term. Since the current situation is very much at odds with the reason for the US even having copyright.)

Re:overblown

[prizog]

That's a good point. I would now call this clause neutral to the interpretation.

Re:overblown

[prizog]

1. He did not in the past correct people who were under the impression that it was BSD-licensed. Now, copyright law doesn't require this - but
common courtesy does.
See e.g. this thread:

http://false.net/ipfilter/1999_12/0055.html

And of course, Open, Free, and Net BSDs have been distributing modified versions w/o any problems.

Now, the original license seemed to allow modification - I base this on
two things, which I have marked with _s :

"Redistribution and use in source _and binary_ forms are permitted provided that _this notice is preserved_ and due credit is given to the original author and the contributors."

1. Allowing redistribution in binary form is already allowing derivative works - the original is distributed only in source form.

2. Removal of the notice would constitute modification - the existence of this phrase implies that other modifications and distribution thereof are allowed.

So, it can definately be argued that Reed's new license is a change in meaning.

Great !!!!

[chrysalis]

Many people are using OpenBSD for firewalls and masquerading gateways. When the removal of ipf was announced, half the people said "ok, I'll have to stick with 2.9 forever :(", and the other half said "ok, I'm gonna drop OpenBSD for NetBSD or FreeBSD".
It was very bad for the popularity of OpenBSD.
The new packet filter is excellent news, and I just can say "good luck" to the team.
OpenBSD 3.0 will be released in 6 months. The challenge is : will they be able to complete pf for that date ?

-- Pure FTP server [pureftpd.org] - Upgrade your FTP server to something simple and secure.

Re:Great !!!!

[krausedw]

I have already ported the latest IP Filter to OpenBSD-Current. Check out the IP Filter list soon for the changes, or email me (ipfilter@davidkrause.com) and I'll send you a tarball of what I have so far.

Re:overblown

[wbb4]

No, it was not overblown.

The OpenBSD Project, admittedly, made a mistake by including IPF initially. The fact that Daren Reed did NOT change the license, he clarified it. Any copyright lawyer would tell you that OpenBSD could NOT have continued using IPF (and really, should not have to begin with).

If I may, this was the original statement:
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
Notice the lack of "with or without modification", as is standard in a BSD style license. This DOES INDEED mean that modification is not permitted (wihtout prior approval of course)

I am sick and tired of the FUD that is being spread that just because "Theo didn't like it" IPF was removed, this is not the case.

OpenBSD is used by several commercial organizations who also modify it. OpenBSD has a responsibility to those organizations, and if they must get Daren's permission before they change anything that OpenBSD distributes, it is not in the best interest of those organizations or of OpenBSD.

OpenBSD has taken the high road by avoiding issues later by removing it to prevent any confusion for it's users.

overblown

[joq]

I didn't see what the big deal was with IPF switching licenses, personally I thought it was taken all out of context by many.

Anyways for those looking for completely different alternatives check out T-Rex [opensourcefirewall.com] which is pretty neat, although a large download for those over dialup.

Also note that IPF *still* runs fine under OpenBSD although it's not likely to be included in the shipments going out now.

Daniel's page on pf

[Zigg]

You can get more information on Daniel's undertaking at his page about it. [benzedrine.cx]

Re:license change and free code

[ijx]

Originally, ipf's license did explicity allow or forbid modification. Legally, the general concensus (IANAL) is that it forbade mods all along.

Darren Reed's big "change" was to bluntly say that you cannot distribute a modified version without permission. That's what caught Theo's eye.

Technically, there never was a version with a license that predates Darren's explicit ban on modifications. This means that the kind of forking that allowed OpenSSH to be developed so quickly is not possible here.

Re:Yes they did

[Phork]

He's talking about ssh, open BSD didnt remimplement ssh, they improved upon it.

Re:Great !!!!

[veg]

Indeed it is excellent news but please don't switch OSs just yet:

Don't forget that it was only removed from the OpenBSD *distribution*. Darren Reed has said that he will continue to support OpenBSD and work is already afoot to port the current ipf to OpenBSD-CURRENT.
(although IMHO I think Mr Reed is not giving the *BSD releases as much attention as he is with the more...ahem...comercially-valuable...Solaris.)

To be honest, I've never used the version of ipf that came with openBSD because it was always so out of date - I know they had done considerable work patching it but nonetheless it was still lacking in features and bugfixes. Even the "new" version included with 2.9 was out of date by the time 2.9 was released. Pity.

Ah well - lets hope pf is to ipf what openssh was to ssh. Three cheers.

Clarification? No free version?

[Arker]

Well the license was not redifined but "clarified" in it's meaning, the license never changed, there are no free versions.

So Darren has said recently. But, in all fairness, that just doesn't fit the evidence. See for instance this post [neohapsis.com] from a year ago, where Darren refers to his work as "public domain." Contrast that with his more recent statement [computerworld.com] in computerworld that he has "never considered IPFilter to be open-source."

The license hasn't changed, no, but Darrens publically stated interpretation of the license sure as hell has.

Having followed this story closely, the best I can tell what happened is this. Darren initially intended his license to be BSD compatible, wrote it to be BSD compatible, and everyone using and contributing thought it was indeed BSD compatible. Darren didn't correct them because so far as he was concerned they were correct. Recently he got upset at the possibility or actuality (not sure which) of people distributing modified versions of his own betas, and added the "clarification" to a beta, intending only to prohibit modified versions of that particular version, not of regular releases. At this point Theo and others realised that the original license was indeed less than perfectly clear, and fearing that he would try to extend the prohibition further, and concerned that the license wasn't clear enough about modifications, they began to ask him to change the license. Apparently Theo managed to really rub him the wrong way in the process, and he got angry, and decided based on the vagueness in the licensing terms he could get away with closing it all retroactively, just to spite Theo. Begin the flamefests and the inevitable removal of ipfilter from OBSD.

"That old saw about the early bird just goes to show that the worm should have stayed in bed."

Re:Great!

[jemfinch]

That's funny, I've got a netfilter box hosting 4 IPSec tunnels as well as firewall duties for a 2mbps link, 256MB RAM on a Duron 750. Guess what my load is?

0.00 0.00 0.00

Of course, since load average is only calculated based on the number of processes waiting for CPU, and since netfilter is entirely coded in-kernel, your load average will never be more than 0.0 on that firewall, regardless of your hardware.

Jeremy
--

Re:Great !!!!

[zulux]

I actually purchased a 2.9 CD - just to make sure that I had a OpenBSD distribution with a working and tested packet filter. I could have grabbed IPF by itself, but I might have missed out on any patches on IPF that the OpenBSD folk have done to it. And it was about time I supported OpenBDS with a little bit of money.

Re:overblown

[_Marvin_]

You can't change a license retroactively, period.
There is, however, a special provision in the GPL: you're *allowed* to use GPL'd code under any later versions of the GPL (the GPL explicitly states that fact) - but you can't be *forced* to.

Re:clarification my ass

[hubertf]

"use", like in "push through the compiler"?

- Hubert

Piecewise reimplementation

[yerricde]

Quite a difference between improving something and totally rewriting it, even if in the end no original code remains.

Like LAME [sulaco.org]? Like GNU itself? The GNU system is a piecewise reimplementation of the UNIX® system. Until the free Linux kernel came around, the GNU system (gcc, Emacs, bash, etc.) ran on top of proprietary UNIX systems (and free BSD systems). Even Richard Stallman supports using proprietary software and semi-free software [gnu.org] "temporarily for the specific purpose of writing a free replacement for that very program."

Re:Best luck!

[R.Caley]

The portable version is pulled from the OpenBSD CVS tree and modified slightly so it complies on other UNIX platforms

Which is enough to have made me think twice before using it. I almost decided to pay money rather than risk a modified version.

OpenSSH would be far mroe reasuring is the basic development and testing and day to day brainstorming was being done on the version I actually use.
_O_

Re:clarification my ass

[Dahan]

How else do you use something in source?

Uh, you compile it. Some people care a lot about security and don't want to run precompiled binaries, especially for something like a firewall. So they read the source and compile it themselves. No modification necessary.

Re:overblown

[rgmoore]

Actually, the GPL itself does not include the clause about using later versions. It is suggested that authors include in their copyright notice that the code is licensed under version foo of the GPL or, at the licensee's option any subsequent version, but that is just a suggestion. ISTR that Linux does not include the "or at your option a later version" clause specifically because Linus was worried that a later version might include a "bug" that would result in unexpected and undesired results. And, of course, they copyright holder for a piece of software can change his license after the initial release. It's just that he can't force people who licensed it under the old terms to relicense under the new terms. That means that in effect it's only possible to release under a less restrictive license (which people will voluntarily use) and not a more restrictive one (which they won't).

Re:*BSD is dying

[El Prebso]

Still doesn't change the fact that the BSDs are alot more stable than most other operating systems, including Linux.

Re:*BSD is dying

[crazyeddie]

Actually FreeBSD has had SMP a lot longer than that. It has been part of the main source tree since release 3.0 in October '98. See the release notes at http://www.freebsd.org/releases/3.0R/notes.html for details.

Re:Best luck!

[Skuto]

>Judging by OpenSSH, the OpenBSD team is capable
>of reimplementing complex software in a short
>time span. I wish them luck with the new project.

Uh, they didn't reimplement it.

They took the latest decently licensed version
and improved it from there.

Quite a difference between improving something
and totally rewriting it, even if in the end no
original code remains.

--
GCP

Re:Yes they did

[Skuto]

Please reread my post.

I never mentioned ipf/pf. I was talking about OpenSSH.

--
GCP

Re:Great !!!!

[cant_get_a_good_nick]

And it was about time I supported OpenBDS with a little bit of money.

I think Bondage and D/S get enough money on the net with or without your contributions, but the thought was nice.

Best luck!

[BlowCat]

I'm sorry for OpenBSD folks who have almost been forced to write a new IP filter. But sometimes it's useful to rewrite something from scratch, especially for software so critical for security.

Judging by OpenSSH, the OpenBSD team is capable of reimplementing complex software in a short time span. I wish them luck with the new project.

I just hope that unlike OpenSSH they won't make two versions - native and portable.

Re:Great !!!!

[mirabilos]

subscribe to src-changes@
Then you'll see the number of new commits and
debugs to OpenBSD.
This includes pf.

Btw I wrote about this right after /. was back
online...

--

from scratch?

[mirabilos]

or from BSD ipfw?

Possible and has been discussed, but I
don't know either.

--

Re:license change and free code

[michaelo]

once again: according to Darren it was just a license clarification and not a change.
J.

Re:overblown

[ryanvm]

I didn't see what the big deal was with IPF switching licenses, personally I thought it was taken all out of context by many.

License issues are a lot like certain Constitutional rights - you may never need them, but they're nice to have.

Chances are, that you'd never publish anything that your government would like to censor, but having the freedom to do so is extremely important. Likewise, you'll probably never have to defend your home against military invasion - but the right to bear sure would help if you do.

The point here is that I agree that Darren Reed would have probably never done anything rash or stupid with IPF. But, an open license would have ensured that he didn't.

There is a reason that it's called OpenBSD, and Theo did the right thing by standing his ground on the situation.

In the Plex?

[Britney]

it looks like the new filter is going to be ipf-compatible

Maybe Google would be interested in this.

Wait - that's IPO-compatible.

Re:In the Plex?

[Britney]

Sure - I've been in the news (on the BBC).

Take a look [bbc.co.uk]

Now I've shown you mine, you show me yours.

Re:goodbye to ipf

[ByTor-2112]

Get real. IPF is a stable, tested, full-featured packet filter. There are NO license issues with IPF under FreeBSD and I would assume NetBSD as well. IPFilter was moved to /usr/src/[sys/]contrib in FreeBSD, and that was that.

Just because someone comes out with a new packet filter doesn't mean it's time to declare everything else dead and hail to the Next Bing Thing. Oh, wait a minute. That's what Linux does. Every release. ~snicker~

Re:*BSD is dying

[isa-kuruption]

You moron.

FreeBSD was not bought by BSDI. Yahoo! uses FreeBSD and provides most of it's current funding (or at least provides the funding to Walnut Creek who then funds FreeBSD). Since Yahoo wanted dual processor machines, they "integrated" BSDI into FreeBSD resulting in SMP support in FreeBSD (as of 4.3 I believe)

Let's also not forget that the majority of Linux code is STILL based on (old) *BSD code.

There is a saying that applies here (I think):

"BSD is for people who love UNIX; Linux is for people who hate Windows"



I think you need to flash your brain's firmware.

goodbye to ipf

[evenprime]

I think that IPF is done for. My guess is that the other bsds will want to adopt pf, and I'm certain that the COTS software vendors who have ipf-based products will do the same, since there's no question about the licence changing on a whim like happened with IPF.
--
"Weapons should be hardy rather than decorative" - Musashi

Re:clarification my ass

[dinivin]

Even better than that: Darren explicitly stated in his original license that any distributions of any modified code had to credit him. Therefore, he was obviously expecting, and allowing, individuals to modify and distribute his code.

Dinivin

Re:Yes they did

[dinivin]

Skuto was talking about OpenSSH, not pf. Notice how he was repsonding to a specific setence talking about OpenSSH?

Dinivin