pfSense » pfSense Packages

Hello,

I appreciate all pfSense+ updates and efforts Team is doing (I am relatively new user, but I am advocating your software router solution so hope your sales will grow in my home country).
I am especially gratefull for latest pfSense+ R2305 release and upgraded haproxy component (v2.7.6).

However you seem to compile haproxy without QUIC/h3 support. Is there any reason for that?

Will QUIC/h3 be supported by pfSense+? When do you plan such feature?

haproxy info - pfSense+ 23.05:
[23.05-RELEASE][somebody@router.domain.com]/root: haproxy -vv
HAProxy version 2.7.6-4dadaaa 2023/03/28 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2024.
Known bugs: http://www.haproxy.org/bugs/bugs-2.7.6.html
Running on: FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05-n256102-7cd3d043045: Mon May 22 15:33:52 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/obj/amd64/LkEyii3W/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/sources/FreeBS amd64
Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wnull-dereference -fwrapv -Wno-unknown-warning-option -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment -DFREEBSD_PORTS
OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_STATIC_PCRE=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_PROMEX=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE +LIBCRYPT -LINUX_SPLICE -LINUX_TPROXY +LUA -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT +PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC -RT +SHM_OPEN -SLZ +STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=4).
Built with OpenSSL version : OpenSSL 1.1.1t-freebsd 7 Feb 2023
Running on OpenSSL version : OpenSSL 1.1.1t-freebsd 7 Feb 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.13
Running on zlib version : 1.2.13
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE version : 8.45 2021-06-15
Running on PCRE version : 8.45 2021-06-15
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 15.0.7 (https://github.com/llvm/llvm-project.git llvmorg-15.0.7-0-g8dfdcc7b7bf6)

Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=

Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace

1. I understand that Quick/H3 is currently not supported in R2305 (not seeing USE_QUIC=1 / seeing -QUIC).
2. I am unable to input something like that "quic4@80.xx.yy.zz" or like that "quic4" in current web gui.
3. I tried "Advanced Pass Through" option in frontend, eg.
bind quic4@80.xx.yy.zz:443 name quic4@80.xx.yy.zz:443 ssl crt-list /var/etc/haproxy/shared-https-80.xx.yy.zz.crt_list alpn h3
but I got:
"Errors found while starting haproxy
[NOTICE] (31671) : haproxy version is 2.7.6-4dadaaa
[NOTICE] (31671) : path to executable is /usr/local/sbin/haproxy
[ALERT] (31671) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:239] : 'bind' : unsupported stream protocol for datagram family 2 address 'quic4@80.xx.yy.zz:443'; QUIC is not compiled in if this is what you were looking for.
[ALERT] (31671) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (31671) : config : Fatal errors found in configuration. "

I hope you will support QUICK/h3 in haproxy. GUI support seems to be less important for me than real haproxy feature/compile flag, although it would be nice do support "new options".
I am asking only for the 1 reason: SMB over QUIC in Windows Server 2022. Perhaps there are more use cases of QUIC, but this one seems to be "interesting" and easy implementable with Windows11 clients to me.

Finally (unrelated question): do you plan to build haproxy against LUA 5.4? Please upgrade if possible. I like haproxy in my router much.

Kind regards,
Pawel