Time to let go of ipfilter

Matthew Dillon dillon at apollo.backplane.com
Fri Jan 21 08:06:33 PST 2011

:2011/1/21 Sepherosa Ziehau <sepherosa at gmail.com>:
:> Hi all,
:Hi sephe
:> ipfilter is not maintained in dragonfly at all, I plan to remove it.
:Just a word about it. Currently we (a french hoster http://www.nfrance.com) use
:DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines)
:with quagga and ipf. And its work really well (better than FreeBSD we were
:previously using).
:Our requirement for routing machines is to be able to gracefuly handle
:200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing
:(full table). Crash test is at 400mb/s in lab.
:We choose ipf for historical reasons (previously used on FreeBSD). But
:we experienced on FreeBSD that it's really faster than pf.
:Do you think there is currently an other software (maybe ipfw) that can
:filter 200/300 mb/s load ?

    PF in master should be able to do it but of course it is quite
    experimental.  I would worry about the state tables possibly getting
    blown out.

    Currently the PF in master is not handling the tcp sequence space
    properly and /etc/pf.conf must contain global options as follows
    to run reliably:

	set keep-policy keep state (pickups, sloppy)

    PF in 2.6 should work well and not require 'sloppy' (it might not
    even support 'sloppy').

    If you could possibly switch to PF that would be the best thing to
    do.  Having three different packet filters in DragonFly is just too
    many and IPF is the least-used of the three.

    IPSEC is another matter.  Any breakage there should be fairly easy to
    fix if we can get someone to mess with it.  I can mess with it myself
    sometime mid-February.

					Matthew Dillon 
					<dillon at backplane.com>

More information about the Kernel mailing list