Time to let go of ipfilter
Mindaugas Rasiukevicius
rmind at netbsd.org
Fri Jan 21 11:34:46 PST 2011
Matthew Dillon <dillon at apollo.backplane.com> wrote:
> PF in master should be able to do it but of course it is quite
> experimental. I would worry about the state tables possibly getting
> blown out.
>
> Currently the PF in master is not handling the tcp sequence space
> properly and /etc/pf.conf must contain global options as follows
> to run reliably:
>
> set keep-policy keep state (pickups, sloppy)
>
> PF in 2.6 should work well and not require 'sloppy' (it might not
> even support 'sloppy').
>
> If you could possibly switch to PF that would be the best thing to
> do. Having three different packet filters in DragonFly is just too
> many and IPF is the least-used of the three.
>
> IPSEC is another matter. Any breakage there should be fairly easy to
> fix if we can get someone to mess with it. I can mess with it myself
> sometime mid-February.
While NPF on NetBSD is still work-in-progress, most features are already
implemented and we will be focusing on bug fixing and performance next.
http://nxr.netbsd.org/xref/src/sys/net/npf/
Just FYI, in a case you might be interested on alternatives.
--
Mindaugas
More information about the Kernel
mailing list