Time to let go of ipfilter

Mindaugas Rasiukevicius rmind at netbsd.org
Fri Jan 21 11:34:46 PST 2011


Matthew Dillon <dillon at apollo.backplane.com> wrote:
>     PF in master should be able to do it but of course it is quite
>     experimental.  I would worry about the state tables possibly getting
>     blown out.
> 
>     Currently the PF in master is not handling the tcp sequence space
>     properly and /etc/pf.conf must contain global options as follows
>     to run reliably:
> 
> 	set keep-policy keep state (pickups, sloppy)
> 
>     PF in 2.6 should work well and not require 'sloppy' (it might not
>     even support 'sloppy').
> 
>     If you could possibly switch to PF that would be the best thing to
>     do.  Having three different packet filters in DragonFly is just too
>     many and IPF is the least-used of the three.
> 
>     IPSEC is another matter.  Any breakage there should be fairly easy to
>     fix if we can get someone to mess with it.  I can mess with it myself
>     sometime mid-February.

While NPF on NetBSD is still work-in-progress, most features are already
implemented and we will be focusing on bug fixing and performance next.

http://nxr.netbsd.org/xref/src/sys/net/npf/

Just FYI, in a case you might be interested on alternatives.

-- 
Mindaugas





More information about the Kernel mailing list