← Back to context

Comment by xoa

5 years ago

Ars Technica had a more in-depth follow up, "FreeBSD kernel-mode WireGuard moves forward out-of-tree" [0], and essentially it's just moving into Donenfield's own repository for maturation/testing until fully baked. It was announced on zx2c4 yesterday, ("WireGuard for FreeBSD snapshot 0.0.20210317 is available" [1]).

It appears that for some reason Macy, whom Netgate hired, spent a year trying to port the Linux kernel version (with ample kludging and ifdefs to make it work) rather than the more portable original core standalone version. The result wasn't great. But the rushed replacement Jason volunteered a lot of time for was, well, rushed, and everyone agreed that while kernel-mode wg in FreeBSD is very desirable the whole point of the project is to be really reliable and secure so worth taking more time to do right.

This presumably won't represent that much of a delay in the end. And while it's too bad Netgate couldn't have been more collaborative and gotten it right from the start, it's also impressive and humbling to see skilled people rallying to get it together in the end. Wireguard is such a great project.

----

0: https://arstechnica.com/gadgets/2021/03/freebsd-kernel-mode-...

1: https://lists.zx2c4.com/pipermail/wireguard/2021-March/00651...

12 comments

xoa

Reply
kevans91  5 years ago

I've been trying to stay quiet here because I just want to part ways, but the last sentences here got to me.

This wasn't a "mission to fix if_wg," at least it didn't start that way, and I think that it's important to acknowledge that my motivations here weren't exactly what's happened.

Let me start with: folks can hate me for this, but I generally like mmacy. I don't like specific things he did with this driver, but we usually get along. I don't really like how he's getting dragged around like this.

Now, this didn't start as a campaign to fix what was put into the tree, or to get Matt hit with the crap-bombs he's been dealt. This is the rough sequence of events:

- I use openvpn

- I don't like my openvpn setup, let's try if_wg

- oh, there are a couple problems here, let's fix those

- ok, what would it take to get wireguard-tools support?

This is where I get in touch with Jason.

- "oh, we gotta fix this"

- yeah, I can believe that

Cue hackathon session, we fix:

- All the jail bugs I can spot

- The race conditions we spot

- Number of panics

- Buffer overflow

- Privilege check

- Resync a lot of stuff with OpenBSD

- A number of things that I don't see, but I'm not a qualified expert in the area

Then we're here, where the stories start dropping and all hell breaks loose. For me, this isn't a story about how skilled people rallied to get it together, this is a story I'm not particularly proud of.

No further comment, because I'd like to get back to what I do. I know this isn't going to end well for me, so I likely won't check back.

  • apple4ever  5 years ago

    I've run into the Netgate folks plenty of times, and so have many others. They are not nice people. Just look over Reddit or their Forums (especially during the AES situation where I was banned for life for a post saying I was unhappy with the decision even though I apologized).

    I kept hand waving it away and using pfSense but no more. They do not deserve anybody's business. They are not good partners for the community.

    My point, for you, is you did nothing wrong. The blame lays on their side.

    • denkmoon  5 years ago

      What will you go with instead of pfsense?

      I don't really care about this wireguard debacle (besides better code = good, and openvpn alternative = good), but I don't like the pfsense plus pro definitive paid game of the year edition.

      3 replies →

    • cpach  5 years ago

      This seems to come up again and again. Too bad really. Seems like Opnsense is a solid alternative for those who want to avoid pfSense.

  • xoa  5 years ago

    I didn't mean to spin this for Netgate. But Donenfeld hasn't seemed to want to make a big thing over it, and I just wanted to try to respect that for a summary. Kind of figured anyone really interested would read the stories and comments and get the gory details, but I'm genuinely sorry if you felt I disrespected the situation by being too breezy. And I do think there was an impressive rally to try to meet an admittedly artificial deadline and get something better in place rather then letting it slide or throwing more bombs then necessary. I do recognize it was serious.

    • kevans91  5 years ago

      I was linked back to your reply because it seems that I've not really communicated this very well- there's nothing wrong specifically with how you represented the situation, and I'm sorry if I came across as angry about you specifically. Read the rest of this in that same tone.

      I'm angry that this has blown up like it has, and I realize that Netgate hasn't helped themselves out at all with the statements they've been releasing. If I was a PR person, my immediate reaction would have been "Hey, we're pulling this from the build. Know you guys were all excited about it, but points to press release"

      I'm trapped here, you know? I can't speak for the proportions of how bad it was because I'm just a kernel guy, not a security guy. If I say "I don't think it was really that bad," I can pretty much immediately be written off as unqualified to make those kinds of statements.

      We did end up nearly entirely rewriting the driver, but a significant chunk of that was removing iflib to fix a load of vnet issues and simplify it. I'm proud of what we ended up with, but I'm not proud of how this was handled by pretty much everyone around me.

      Finally, to me, the deadline was very real. I thought we could end up with something that I'd be able to merge in time for 13.0rc3 (builds started today) in a relatively non-disruptive manner. It wasn't until most of the time was up that time had passed until I realized what we had come up with, and started hoping that I could still pull it off with significant testing.

airhead969  5 years ago

It should tell you all you need to know about Netgate and pfSense when they hid the build tools without warning, changed the license, and hired a convicted residential terrorist like Macy who can't be trusted to show the restraint of civilized behavior. Use opnsense instead.

dang  5 years ago

Ok, perhaps we'll change the article from https://www.netgate.com/blog/wireguard-removed-from-pfsense-... to that (thanks!). If there's a better article, we can change it again.

  • koyote  5 years ago

    The original netgate blog post is about a slightly different event from arstechnica's follow-up (in this FreeBSD/WireGuard saga).

    Arstechnica's article is about the removal of the 'rushed' WireGuard implementation that was supposed to go into FreeBSD 13 and the fact that development is continuing out of tree.

    Netgate/pfSense had backported the old (pre-rushed) implementation that they had commissioned to the FreeBSD 12 kernel version which was released as part of pfSense 2.5 several weeks ago. They have now chosen to rip it back out again.