Time to let go of ipfilter
dillon at apollo.backplane.com
Fri Jan 21 08:06:33 PST 2011
:2011/1/21 Sepherosa Ziehau <sepherosa at gmail.com>:
:> Hi all,
:> ipfilter is not maintained in dragonfly at all, I plan to remove it.
:Just a word about it. Currently we (a french hoster http://www.nfrance.com) use
:DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines)
:with quagga and ipf. And its work really well (better than FreeBSD we were
:Our requirement for routing machines is to be able to gracefuly handle
:200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing
:(full table). Crash test is at 400mb/s in lab.
:We choose ipf for historical reasons (previously used on FreeBSD). But
:we experienced on FreeBSD that it's really faster than pf.
:Do you think there is currently an other software (maybe ipfw) that can
:filter 200/300 mb/s load ?
PF in master should be able to do it but of course it is quite
experimental. I would worry about the state tables possibly getting
Currently the PF in master is not handling the tcp sequence space
properly and /etc/pf.conf must contain global options as follows
to run reliably:
set keep-policy keep state (pickups, sloppy)
PF in 2.6 should work well and not require 'sloppy' (it might not
even support 'sloppy').
If you could possibly switch to PF that would be the best thing to
do. Having three different packet filters in DragonFly is just too
many and IPF is the least-used of the three.
IPSEC is another matter. Any breakage there should be fairly easy to
fix if we can get someone to mess with it. I can mess with it myself
<dillon at backplane.com>
More information about the Kernel