PF changes in master - issues still present
Matthew Dillon
dillon at apollo.backplane.com
Fri Jun 27 19:12:39 PDT 2014
Recently PF was changed to run concurrently on cpus on SMP boxes,
which should significantly improve its performance.
There are still a few issues present in the PF changes on master,
so it may not be suitable for a production server yet. But I hope
to get most of them dealt with within a week.
* Simple block/pass rules should all be operational. Other rules except
NAT should theoretically work but are not tested.
* Currently IPV4 NAT works with TCP but may not with UDP. It requires
that PF be able to select from a reasonable range of ports. Doing
NAT and forcing a fixed source port on the router will be unreliable.
* Currently IPV6 NAT should be operational but has not been tested.
However, it may break as we do additional concurrency work on the
IPV6 stack concurrency.
I hope to fix the UDP issues soon. The IPV6 spec does not officially
support NAT but we'd like to make it work anyway.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list