Time to let go of ipfilter

Atte Peltomäki atte.peltomaki at iki.fi
Mon Feb 21 06:01:32 PST 2011

On Sat, Jan 22, 2011 at 02:37:05PM +0100, Jan Lentfer wrote:
> Am 22.01.2011 10:04, schrieb Edward O'Callaghan:
> > I agree, however I have no doubt it will be added soon since this is
> > also a limitation for NetBSD usage of NPF as well.. more my point, +1
> > to EOL'ing older solutions that are no longer maintained or scalable.
> >
> NPF is the new kid on the block. Let's the how it behaves in practice, I 
> for one will consider looking at it in-depth as soon as it is officially 
> released with NetBSD, not before.
> PF is a very good packet filter in my eyes, it's actively maintained and 
> feature-rich. Of course there is room for improvement. E.g. I want to 
> look into making state lookups SMP capable at some point, which I think 
> will give a good performance boost on SMP hardware, for those who need it.

PF is simply too slow. It does have good functionality and it's easy to
use, but it doesn't scale beyond small/medium networks. I stress-tested
it some time ago and OpenBSD/pf could get a combined throughput of
around 1.6Gbps. FreeBSD/pf got a little better, but not so that it would
really mean much. 

Given DFly goals, NPF sounds like it should definetely be looked at. 
At a glance at least it's source looks readable, I'll take a whack at
porting it a bit later. 

Atte Peltomäki
     atte.peltomaki at iki.fi <> http://kameli.org
"Your effort to remain what you are is what limits you"

More information about the Kernel mailing list