Comment by kevans91
5 years ago
I've been trying to stay quiet here because I just want to part ways, but the last sentences here got to me.
This wasn't a "mission to fix if_wg," at least it didn't start that way, and I think that it's important to acknowledge that my motivations here weren't exactly what's happened.
Let me start with: folks can hate me for this, but I generally like mmacy. I don't like specific things he did with this driver, but we usually get along. I don't really like how he's getting dragged around like this.
Now, this didn't start as a campaign to fix what was put into the tree, or to get Matt hit with the crap-bombs he's been dealt. This is the rough sequence of events:
- I use openvpn
- I don't like my openvpn setup, let's try if_wg
- oh, there are a couple problems here, let's fix those
- ok, what would it take to get wireguard-tools support?
This is where I get in touch with Jason.
- "oh, we gotta fix this"
- yeah, I can believe that
Cue hackathon session, we fix:
- All the jail bugs I can spot
- The race conditions we spot
- Number of panics
- Buffer overflow
- Privilege check
- Resync a lot of stuff with OpenBSD
- A number of things that I don't see, but I'm not a qualified expert in the area
Then we're here, where the stories start dropping and all hell breaks loose. For me, this isn't a story about how skilled people rallied to get it together, this is a story I'm not particularly proud of.
No further comment, because I'd like to get back to what I do. I know this isn't going to end well for me, so I likely won't check back.
I've run into the Netgate folks plenty of times, and so have many others. They are not nice people. Just look over Reddit or their Forums (especially during the AES situation where I was banned for life for a post saying I was unhappy with the decision even though I apologized).
I kept hand waving it away and using pfSense but no more. They do not deserve anybody's business. They are not good partners for the community.
My point, for you, is you did nothing wrong. The blame lays on their side.
What will you go with instead of pfsense?
I don't really care about this wireguard debacle (besides better code = good, and openvpn alternative = good), but I don't like the pfsense plus pro definitive paid game of the year edition.
I moved over to opnsense this weekend in a few locations. Will do more over time. In the few locations where an official appliance is used, I will likely move to swap those down the line.
Ive used pfSense since well before netgate even existed, and enough its not just in use in my home or lab. I generally dont made decisions based on bad PR or internet drama. So i didn't really bother to move over the AESNI stuff, or even the gnid/build tools etc. Though the gnid thing was what opened my eyes to what netgate was doing.
But their choice to diverge their code to basically closed source [1] and only contribute minimally to the CE, and leave it on people using CE to "enable" their features/changes leaves me with little choice but to move on. I use products like these because they are open to audits and fixes both for bugs and vulnerabilities. In the cases where I have used close source devices, especially at an edge location, its been with a trusted company with a storied history of security focus (like Cisco, Proofpoint, Palo Alto etc).
Netgates decisions on 2.6/pfsense+ basically mean that I would need to trust the security of the device to a small number of people that have a history of reacting very poorly to any question or criticism. And the pattern of moving their code base to something that isn't open to audit's/researchers eyes gives me practical reason to stop using or recommended their products. Which is something I find unfortunate. Its not just the wireguard thing in a vaccuum, its the pattern over time coupled with the choices they have made.
All that said my initial moves to opnsense have been mostly positive.
[1] https://www.netgate.com/blog/announcing-pfsense-plus.html
OPNsense, simple as that. It forked off pfSense back in 2015ish. It's not a perfectly drop-in replacement but it's close, has nice devs and community, and easily exceeds pfSense in certain regards (not least wg itself, topic related, since unlike netgate they don't have an issue with using one of the perfectly decent user space versions while waiting on a kernel version).
Like xoa says below, I'm probably going opnsense. There are other options (untangled, straight OpenBSD, VyOS), but for the switch I'd make I think it would be the easiest.
This seems to come up again and again. Too bad really. Seems like Opnsense is a solid alternative for those who want to avoid pfSense.
I didn't mean to spin this for Netgate. But Donenfeld hasn't seemed to want to make a big thing over it, and I just wanted to try to respect that for a summary. Kind of figured anyone really interested would read the stories and comments and get the gory details, but I'm genuinely sorry if you felt I disrespected the situation by being too breezy. And I do think there was an impressive rally to try to meet an admittedly artificial deadline and get something better in place rather then letting it slide or throwing more bombs then necessary. I do recognize it was serious.
I was linked back to your reply because it seems that I've not really communicated this very well- there's nothing wrong specifically with how you represented the situation, and I'm sorry if I came across as angry about you specifically. Read the rest of this in that same tone.
I'm angry that this has blown up like it has, and I realize that Netgate hasn't helped themselves out at all with the statements they've been releasing. If I was a PR person, my immediate reaction would have been "Hey, we're pulling this from the build. Know you guys were all excited about it, but points to press release"
I'm trapped here, you know? I can't speak for the proportions of how bad it was because I'm just a kernel guy, not a security guy. If I say "I don't think it was really that bad," I can pretty much immediately be written off as unqualified to make those kinds of statements.
We did end up nearly entirely rewriting the driver, but a significant chunk of that was removing iflib to fix a load of vnet issues and simplify it. I'm proud of what we ended up with, but I'm not proud of how this was handled by pretty much everyone around me.
Finally, to me, the deadline was very real. I thought we could end up with something that I'd be able to merge in time for 13.0rc3 (builds started today) in a relatively non-disruptive manner. It wasn't until most of the time was up that time had passed until I realized what we had come up with, and started hoping that I could still pull it off with significant testing.