Port OPNsense to Linux?

Started by MrWizard, March 30, 2026, 11:40:27 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 30, 2026, 10:36:07 PM #15
It's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.

But surely improving on that project to allow an arbitrary number of zones will be easier than "porting" OPNsense. What would the latter even mean? You can port parts of the UI but definitely not the rules and NAT sections because all of this works completely different (I am repeating myself ;-). So better focus on a Linux based product to begin with or create a new one. That's essentially my only point.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 30, 2026, 10:43:45 PM #16
Quote from: Schroinx on March 30, 2026, 10:31:56 PM@Patrick
Can the functions be added to Linux's kernel, and would it make sense, if someone was to convince Linus about the importance of it?


No, definitely not. Linux suffers greatly from NIH (not invented here) syndrome, and while in BSD land (specifically FreeBSD) not everything is perfect - far from it, there is historic evidence that Linux in general and Linus in particular refused again and again to import working concepts and software for taste/political reasons more than technological ones.

E.g. netgraph, dtrace, ZFS, ...

ZFS is the only thing where I can relate to Linus. He more or less stated: "Unless I have a written statement by Larry Ellison (read: Oracle's legal department) that it's ok, I won't integrate ZFS into the Linux kernel for copyright reasons." Understandably so.

The barrier to get pf into the Linux kernel is huge - just forget it.

Linux has a working kernel firewall (or two or whatever - what do I know?) and that's what a Linux based firewall has got to use.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:14:54 AM #17
Quote from: Patrick M. Hausen on March 30, 2026, 10:36:07 PMIt's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.
AFAICS this is a legacy concept that originated from SmoothWall, before it became IPCop, before it became IPFire. Or somesuch as I didn't follow the development closely.
They had originally "colored" the physical interfaces, which made perfect sense back in the day as there aren't too many even now. Probably the simplicity of the concept kept it around, even though with VLANs it should be updated to at least "8 bit colors". :)
Today at 01:06:33 AM #18
Quote from: Patrick M. Hausen on March 30, 2026, 10:36:07 PMIt's not exactly a one VLAN limit but a four zones total limit as I found out. For whatever reasons. Seems silly.[...]

IPFire (or its progenitor) actually implemented very limited VLAN support (one VLAN per interface/zone...?) before Ben Greear's VLAN code was upstreamed, and they kept that model for historical reasons. From "Zone Configuration":

Code Select
Please note that:
- Due to backwards compatibility reasons, you can't assign more than one VLAN to a zone
- One NIC can't be accessed natively by more than one zone
- You can't use the same VLAN tag more than once per NIC
[...]

IPFire is definitely its own thing.
Today at 01:16:35 AM #19
Quote from: MrWizard on March 30, 2026, 10:31:56 PM[...]Can the functions be added to Linux's kernel, and would it make sense, if someone was to convince Linus about the importance of it?

Heh. Even the reprogrammed, sensitive and politically correct Linus would have some choice words about that.

Why not get serious and add a pf (filter) and IPFW (shaper compatibility layer) plugin to VPP? No kernel mods required. Porting OPNsense (and maintaining the port) would be a bit of a nightmare. And VPP itself is a moving target - there's a reason it's not packaged for any distro (that is, available via a package manager).
Print
Go Up Pages 1 2
User actions