hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20100915] Introducing NPF, NetBSD's new packet filter (Updated)
Following the recent call for funded projects, a from-scratch implementation of NPF, a new packet filter developed by Mindaugas Rasiukevicius (rmind@) was now announced: ``NPF is designed for high performance on multiprocessor machines, and for easy extensibility.

    Highlights of NPF features include

    • MP-safety and locklessness for scalable MP performance: no longer is the packet filter the bottleneck in your multicore router
    • Fast hash-table and red-black tree lookups
    • Stateful packet filtering, Network Address Port Translation (NAPT), and Application-Level Gateways (ALGs) for, e.g., traceroute
    • The N-Code processor, a packet-inspection engine inspired by BPF: the N-Code processor is programmed to match packets using generic, RISC-like instructions and a few CISC-like instructions for common patterns such as IPv4 addresses
    • Familiar configuration syntax and utilities
    • Modularity and extensibility: users extend NPF by loading a kernel module. NPF provides developers with an extensions API. NPF rules can embed a hook that invokes an extension
    By the end of January, NPF should have all of the capabilities that NetBSD users have come to expect by using the other filters in the kernel:

    • IPv4 reassembly support
    • Bi-directional NAT and port forwarding (re-direction)
    • FTP proxy support
    • IP header flags cleansing
    • ICMP packets and TCP RST packet blocking
    • Save/restore state
    • Packet logging, configurable using filter rules
    Rasiukevicius will also write documentation and configuration examples.

    Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to provide technical support to developers who will add IPv6 support to NPF. An outline of the steps to IPv6 support will be forthcoming.

    NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF is unique for using a bytecode interpreter in its packet-inspection engine, and for answering the question, "What does a packet filter designed from the bottom up for multiprocessor systems look like?"

    NPF development is sponsored by the NetBSD Foundation.''

Good! If anyone feels bored / brave, things that I'd love to see added include IPv6 support and support for AltQ, (Net)BSD's implementation of alternate network queuing, i.e. QoS / CoS.

Update: For those interested in the configuration of NPF, here are a bunch of manpages: npf.conf(5), npfctl(8), npf_ncode(9). Enjoy!

[Tags: , , , ]



[20050919] PF-related tool: dfd_keeper
Travis H. posted ``that a dynamic firewall daemon, (sort of a command shell for the firewall), is available for NetBSD & pf.'' Check out the website!

[Tags: , , , ]


[20050421] "Firewalling with PF" updated
As reported in the OpenBSD Journal, Peter N. M. Hansteen has updated his "Firewalling with PF" documentation, which now includes discussion of PF on NetBSD.

[Tags: , , ]


[20050317] Patch for ALTQ support in pf on NetBSD -current
In an ideal world, there would be separate components in a TCP/IP stack for categorizing traffic to do things like traffic analysis, prioritizing or filtering. Right now, NetBSD lacks separation in this area, which basically prevents using ALTQ independent from IPfilter and PF (as far as I understand!).

Due to this lack, a separate patch to use ALTQ support in PF is needed on NetBSD-current, which was posted by Peter Postma, maintainer of PF on NetBSD.

[Tags: , ]



[20050216] Firewalling with PF
Peter Hamsteen has worked on a lecture/tutorial on firewalling with the PF packet filter, and it's available now in HTML, PDF as well as a set of slides in HTML.

[Tags: , , ]


[20050120] PF loadable kernel module for NetBSD 2.0
Peter Postma doesn't only work on the integration of the PF packet filter into the developernt version of NetBSD (NetBSD-current, which has PF, in contrast to NetBSD 2.0), he also maintains a page about PF on NetBSD 2.0. Probably of interest for some people.

[Tags: , ]


[20040623] PF in NetBSD-current now!
Itojun has imported the PF firewalling software into NetBSD-current. Users now have a choice between IPfilter and PF. More information on PF can be found e.g. on the PF homepage.

[Tags: , , ]


[20040511] New pf port
Peter Postma has ported the latest OpenBSD Packet Filter (PF) to NetBSD. See his his posting to tech-pkg for more information or check his pf-page!

[Tags: , , ]


Tags: , 2bsd, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, backup, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, callweaver, camera, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, information, init, initrd, install, intel, interix, internet2, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nat, ncode, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, pthread, ptp, ptyfs, Publications, puffs, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs6k, rss, ruby, rump, rzip, sa, safenet, san, savin, sbsd, scampi, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slit, smbus, smp, sockstat, soekris, softdep, software, solaris, sony, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, squid, ssh, sshfs, ssp, stereostream, stickers, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, ttyrec, tulip, tun, tuning, uboot, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 17746878
Copyright (c) Hubert Feyrer