Pfsense beta branch and tracking FreeBSD releases
-
Historically when FreeBSD release a new minor release, does pfsense beta update to it?
So in this case pfsense 2.4 and FreeBSD 11.1 which is coming this summer, can I expect pfsense 2.4 to migrate to 11.1?
The reason for the question is that FreeBSD11-STABLE has a fair few nasty bugs fixed which exist in 11.0, including some kernel panic bugs affecting my unit, since pfsense doesnt follow the STABLE branch, these fixes will all be in 11.1 so I am hoping pfsense will migrate to 11.1 in the 2.4 branch.
https://www.freebsd.org/releases/11.1R/schedule.html
-
afaik, pfsense tracks -stable
-
[2.3.4-RELEASE][admin@firewall.rdnzl.fi]/root: uname -a FreeBSD firewall.rdnzl.fi 10.3-RELEASE-p19 FreeBSD 10.3-RELEASE-p19 #0 bbfdb9a1d(RELENG_2_3_4): Wed May 3 16:09:14 CDT 2017 root@ce23-amd64-builder:/builder/pfsense-234/tmp/obj/builder/pfsense-234/tmp/FreeBSD-src/sys/pfSense amd642.3.4 at least follows the releng/10.3 branch. I can imagine that they are not too keen on switching the branches so quickly because of the custom kernel patches that pfSense has.
-
My understanding is that 2.4 will be based on FreeBSD "11". I would assume they would move to the newer version.
-
We usually track release/errata branches as they are less prone to change, but get important security/errata fixes. We have followed -STABLE at times in certain development stages but our releases generally do not target -STABLE.
2.4 will most likely switch to target 11.1 since it's going to be out soon and 2.4 is still under development.
-
ok good news on the switch to 11.1, in recent years a lot of serious bug fixes have not been backported to RELEASE branches, just to STABLE.
The turnstile panic bug is at least partially patched in 11-STABLE so should be in 11.1. :)
-
FreeBSD imported the new IPsec stack into 11.1 which is a bit of a blocker for us. Unless we can convince them to revert that, or revert it locally, it doesn't look like we can use 11.1.
-
FreeBSD imported the new IPsec stack into 11.1 which is a bit of a blocker for us. Unless we can convince them to revert that, or revert it locally, it doesn't look like we can use 11.1.
Is there a specific concern about the new ipsec stack or is it just the uncertainty?
-
Jim I hope you can work round it as 11.0 is one of the worst FreeBSD releases I have seen for a while, is a bit of a dud release with the amount of issues it has.
If you dont migrate to 11.1 can you at least please use this patch to fix the turnstile bug? currently I have manually patched my kernel.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213903
-
FreeBSD 11 was a major rewrite of many things compared to FreeBSD 10 that was just a direct continuation of the previous major versions. I'm quite surprised that pfSense was willing to use 11.0 as the basis for 2.4 because in every single case the X.0 release has been nothing more than a glorified beta almost directly based on the head branch with "release" sticker added. It's common that people wait until the X.1 release before they switch to the next major version because of the problems that usually occur with the X.0 releases.
-
@kpa:
FreeBSD 11 was a major rewrite of many things compared to FreeBSD 10 that was just a direct continuation of the previous major versions. I'm quite surprised that pfSense was willing to use 11.0 as the basis for 2.4 because in every single case the X.0 release has been nothing more than a glorified beta almost directly based on the head branch with "release" sticker added. It's common that people wait until the X.1 release before they switch to the next major version because of the problems that usually occur with the X.0 releases.
All things considered, 11.0 has been OK. Only a few things that were problems compared to earlier versions. But in general that has been true with past releases. And it wouldn't be that way if more people tested the x.0 release ALPHA/BETA/RC images but some people just wait for release, install, then complain about things.
That's another reason we can't fathom why they thought it was a good idea to backport the new IPsec stack into 11.1, though. There will be a number of people jumping straight from 10.x to 11.1, and they could be in for a surprise.
FreeBSD imported the new IPsec stack into 11.1 which is a bit of a blocker for us. Unless we can convince them to revert that, or revert it locally, it doesn't look like we can use 11.1.
Is there a specific concern about the new ipsec stack or is it just the uncertainty?
Primarily the uncertainty, because it is a significant/large change to pull into an x.1 release, and it happened fairly soon after it was first put in. There is not a lot of feedback about it around either, good or bad, to support its stability or suitability for a FreeBSD point release. If there was a giant chorus of people saying it was great/more stable/working well/etc then maybe it would be more justifiable.
We're working on porting our patches and such to 11.1 to run some tests with and without the new stack so we can try it for ourselves in various scenarios.
-
Jim I have politely brought up the kernel panic turnstile bug in a bug thread on redmine and on here, you have said 11.0 has largely been ok but there has been no comment whatsoever in relation to that bug and as such no commit of the patches made available to fix the bug.
I dont know how many pfsense users use atom cpu's (or intel low powered celeron cpus) but they will be in for a shock because its a nasty bug.
As kpa said 11.0 introduced a lot of things, the ipsec change which has been rejected by pfsense is minor compared to the total amount of changes in 11.0. I expect on a whole 11.1 will be a much higher quality release than 11.0 given 11.0 came straight from HEAD (alpha untested code).
Am I right in thinking that now pfsense has committed to 11.0 for 2.4, will the entire 2.4 branch be stuck on 11.0 code?
-
2.4 will be on 11.0, 2.4.1 will be on 11.1. Given the timing, depending on what we find in testing, 2.4.1 will be very close behind 2.4, but we do want to get 2.4 out sooner than we could if we delayed to wait on 11.1 testing to pan out.
