OPNsense Rewrite Discussion

Started by skydiablo, June 12, 2023, 03:55:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 12, 2023, 03:55:47 PM
Hello, has there been any recent attempt to rewrite OPNsense? I wanted to enable the addition of gateways to the Gateway API and therefore took a closer look at the source code of OPNsense. I don't want to say that it's bad, but it does seem quite dated. Not that I want to open a "yet-another-open-source-firewall" fork of OPNsense right away, but at least discussing whether it would make sense?
June 12, 2023, 04:02:36 PM #1
There has been continuous work on rewriting all modules in MVC style. You will find that e.g. src/www/system_gateways.php is vastly different from everything in /src/opnsense/mvc/app/...

The latter is the modern style code.

When this conversion to the new style will be finished, I cannot tell. Possibly even the core developers themselves cannot tell for sure.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 12, 2023, 04:20:16 PM #2
Okay, so the current system will be migrated to a different codebase "on the fly." What about the challenge of bridging the old and new worlds? Wouldn't a complete rewrite free us from a lot of technical debt?
June 12, 2023, 04:31:04 PM #3
Quote from: skydiablo on June 12, 2023, 04:20:16 PM
Okay, so the current system will be migrated to a different codebase "on the fly." What about the challenge of bridging the old and new worlds? Wouldn't a complete rewrite free us from a lot of technical debt?
It's essentially "just" a web application, though a large and complex one. Each "page" can be rewritten more or less individually while the product continues to be available.

How would you do a rewrite from scratch? You would still have to maintain and update the old code base so now you have two products to work on. I really prefer a refactoring approach as taken by the OPNsense team.

You can check the roadmap to see which modules are planned next:
https://opnsense.org/about/road-map/
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 13, 2023, 08:09:22 AM #4
> but at least discussing whether it would make sense?

Sure, good luck! The estimate for us alone changed from 5 to 10 years to modernise the code base. If you have a bit of spare time go for it. ;)


Cheers,
Franco
June 13, 2023, 01:42:25 PM #5
I really don't want to bash anyone here, and at the end of the day, the one who takes action is the one who is right, not the one who just talks about it. The current MVC approach is certainly a good path, but when I look at the current code, it doesn't feel like an enterprise web application to me. Hence, my initial statement: Wouldn't a "greenfield" approach be worth considering?
June 13, 2023, 01:53:22 PM #6
So first and foremost OPNsense exists because pfSense went a closed-source route for a while (build tools in particular) and relicensed the BSD license to something that even some of the main authors never approved of.

With that in mind the answer for 2014 was "no", because conservation of the codebase was the sole wish and keeping it as open as before.

For us the answer in 2023 is still "no" because we are 70% done with getting to a better point we initially aimed for, having rewritten a number of subsystems and software integrations in the past years.

What the answer in 2023 is for anybody else is up to them. Linux needs a good firewall. It's a great software base but apparently nobody writes a good firewall like OPNsense/pfSense there which is a shame. :)


Cheers,
Franco
June 13, 2023, 02:57:13 PM #7
You're right, there's a lack of a Linux firewall! So, if I understand correctly, you're suggesting that the opportunity to write a "new" firewall could be taken as a chance to use Linux instead of BSD, since the train for OPNsense has already left the station, so to speak?
June 13, 2023, 03:08:51 PM #8 Last Edit: June 13, 2023, 03:10:32 PM by franco
Well, I have no idea what your plans are, but these are my opinions:

1. For OPNsense to leave FreeBSD behind would mean loss of some major features with no immediate replacement. Think about having to rewrite all the firewall parts for starters.

2. OpenBSD was discussed as well, but I have an OpenBSD background and I can say that FreeBSD is a far better fit for a long list of reasons (you can find them here in the forum).

3. If you want "greenfield" I'm not sure what parts of the OPNsense code base you really need if Linux is a better starting point that leaves virtually no reason to use the code base (your previous mention of "fork") apart from aesthetics, which everybody has a different opinion about and you end up changing anyway (for good reasons likely).


Cheers,
Franco
June 13, 2023, 03:49:15 PM #9
So, actually, I wanted to initiate a discussion about whether OPNsense should be rebuilt in a "better" way. As I have now learned, there are already efforts underway to do so, and I have already seen them and assessed them as improvable based on my standards. Therefore, it seems that a "rewrite" is already in progress from the core OPNsense developers, and my original intention to give it a push is essentially unnecessary.

I actually think your idea of using Linux as the basis for a firewall is not a bad idea at all. Of course, it would require rewriting everything, which was also my main idea. The thing is, I'm a big fan of OPNsense and use it whenever I can—it's truly a great achievement! However, the underlying code hasn't fully convinced me so far. But that's okay, as long as I don't make it better myself and just talk about it, it remains the best code there is ;)

Currently, I'm in the preparations of writing a NAC (Network Access Control) system, and I briefly considered using OPNsense as a base. However, since I'm not entirely satisfied with the technical implementation, I'll probably end up rewriting everything from scratch. Since I have no qualms about starting anew, I'm reimplementing various protocols/services in PHP completely from scratch. For example, I've already done RADIUS (https://github.com/skydiablo/SkyRadius) and DHCP (not yet released), and I'm also working on DNS (not public yet). Now, my remaining challenge is to implement the firewall part. I can either use OPNsense as the firewall and utilize its API, or I can build my own firewall (essentially just an interface for iptables/nftables).
June 14, 2023, 07:57:14 AM #10
As for linux firewall and free, you have Vyos .. but its primarily routing platform, where on the other side OPNsense is firewall platform + lots of plugins, but both can be used as router/firewall. Big downside and in my opinion why vyos is not more popular is lack of GUI, but the development in that direction looks really good. I'm using both, and both have pluses and minuses. As for the code quality I can't judge nether OPNSense or Vyos.

Print
Go Up Pages1
User actions