DragonFly kernel List (threaded) for 2011-01
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: Time to let go of ipfilter

From:	Mindaugas Rasiukevicius <rmind@xxxxxxxxxx>
Date:	Fri, 21 Jan 2011 19:30:32 +0000

Matthew Dillon <dillon@apollo.backplane.com> wrote:
>     PF in master should be able to do it but of course it is quite
>     experimental.  I would worry about the state tables possibly getting
>     blown out.
> 
>     Currently the PF in master is not handling the tcp sequence space
>     properly and /etc/pf.conf must contain global options as follows
>     to run reliably:
> 
> 	set keep-policy keep state (pickups, sloppy)
> 
>     PF in 2.6 should work well and not require 'sloppy' (it might not
>     even support 'sloppy').
> 
>     If you could possibly switch to PF that would be the best thing to
>     do.  Having three different packet filters in DragonFly is just too
>     many and IPF is the least-used of the three.
> 
>     IPSEC is another matter.  Any breakage there should be fairly easy to
>     fix if we can get someone to mess with it.  I can mess with it myself
>     sometime mid-February.

While NPF on NetBSD is still work-in-progress, most features are already
implemented and we will be focusing on bug fixing and performance next.

http://nxr.netbsd.org/xref/src/sys/net/npf/

Just FYI, in a case you might be interested on alternatives.

-- 
Mindaugas

Follow-Ups:
- Re: Time to let go of ipfilter
  - From: Matthew Dillon <dillon@apollo.backplane.com>

References:
- Time to let go of ipfilter
  - From: Sepherosa Ziehau <sepherosa@gmail.com>
- Re: Time to let go of ipfilter
  - From: joris dedieu <joris.dedieu@gmail.com>
- Re: Time to let go of ipfilter
  - From: Matthew Dillon <dillon@apollo.backplane.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]