Discussion:
update pf
(too old to reply)
Egerváry Gergely
2016-12-04 20:34:10 UTC
Permalink
Hi,

do you have plans on updating pf (OpenBSD's packet filter) in NetBSD?
Now we have pf from ~ OpenBSD 4.2.

Thank you,
--
Gergely EGERVARY

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2016-12-04 20:56:44 UTC
Permalink
Post by Egerváry Gergely
do you have plans on updating pf (OpenBSD's packet filter) in NetBSD?
Now we have pf from ~ OpenBSD 4.2.
I don't think anyone has enough interest and time to sink into such a
project.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Egerváry Gergely
2016-12-04 21:08:24 UTC
Permalink
Post by Joerg Sonnenberger
Post by Egerváry Gergely
do you have plans on updating pf (OpenBSD's packet filter) in NetBSD?
Now we have pf from ~ OpenBSD 4.2.
I don't think anyone has enough interest and time to sink into such a
project.
Do you think npf is the only way to go on NetBSD?
Darren's IPFilter is abandoned, OpenBSD's pf is outdated.
--
Gergely EGERVARY


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2016-12-04 22:00:03 UTC
Permalink
Post by Egerváry Gergely
Post by Joerg Sonnenberger
Post by Egerváry Gergely
do you have plans on updating pf (OpenBSD's packet filter) in NetBSD?
Now we have pf from ~ OpenBSD 4.2.
I don't think anyone has enough interest and time to sink into such a
project.
Do you think npf is the only way to go on NetBSD?
Darren's IPFilter is abandoned, OpenBSD's pf is outdated.
OpenBSD's PF is not maintainable. It got more and more tentacles into
the rest of the OpenBSD network stack. So yes, effectively I think NPF
is the only viable option midterm.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Egerváry Gergely
2016-12-04 22:26:34 UTC
Permalink
Post by Joerg Sonnenberger
OpenBSD's PF is not maintainable. It got more and more tentacles into
the rest of the OpenBSD network stack. So yes, effectively I think NPF
is the only viable option midterm.
Bad news. PF is a great design and it's quite multiplatform. It is in
Solaris 11.3, Mac OS X 10.7, FreeBSD and DragonFly, pfSense (= FreeBSD)
and probably others. (FreeBSD port is outdated, too)

NPF is missing TPROXY / divert sockets functionality.
--
Gergely EGERVARY


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2016-12-04 22:42:50 UTC
Permalink
Post by Egerváry Gergely
Post by Joerg Sonnenberger
OpenBSD's PF is not maintainable. It got more and more tentacles into
the rest of the OpenBSD network stack. So yes, effectively I think NPF
is the only viable option midterm.
Bad news. PF is a great design and it's quite multiplatform. It is in
Solaris 11.3, Mac OS X 10.7, FreeBSD and DragonFly, pfSense (= FreeBSD)
and probably others. (FreeBSD port is outdated, too)
Have you ported it to any of those systems? I can assure you, it is
*not* designed to be integrated with other systems. Trying to keep
up with the OpenBSD changes is a significant amount of work. I don't
know how many developers are paid by Oracle or Apple for it, but for a
volunteering project it is not that easy.
Post by Egerváry Gergely
NPF is missing TPROXY / divert sockets functionality.
Missing functionality in NPF is a different topic.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2016-12-05 22:38:37 UTC
Permalink
Post by Egerváry Gergely
Post by Joerg Sonnenberger
OpenBSD's PF is not maintainable. It got more and more tentacles into
the rest of the OpenBSD network stack. So yes, effectively I think NPF
is the only viable option midterm.
Bad news. PF is a great design and it's quite multiplatform. It is in
Solaris 11.3, Mac OS X 10.7, FreeBSD and DragonFly, pfSense (= FreeBSD)
and probably others. (FreeBSD port is outdated, too)
NPF is missing TPROXY / divert sockets functionality.
Can't you use map for those?

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Egerváry Gergely
2016-12-06 08:02:20 UTC
Permalink
Post by Christos Zoulas
Post by Egerváry Gergely
NPF is missing TPROXY / divert sockets functionality.
Can't you use map for those?
Squid transparent/intercept proxy needs to know the original
destination address. With map (DNAT) it's only possible doing
an IOCTL lookup on the NAT table.

IPFilter: SIOCGNATL
PF: DIOCNATLOOK

Unfortunately, it's not implemented in NPF yet.
--
Gergely EGERVARY


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2016-12-06 13:06:23 UTC
Permalink
Post by Egerváry Gergely
Post by Christos Zoulas
Post by Egerváry Gergely
NPF is missing TPROXY / divert sockets functionality.
Can't you use map for those?
Squid transparent/intercept proxy needs to know the original
destination address. With map (DNAT) it's only possible doing
an IOCTL lookup on the NAT table.
IPFilter: SIOCGNATL
PF: DIOCNATLOOK
Unfortunately, it's not implemented in NPF yet.
That should be simple to add. I wish I had some spare cycles to do it.

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2016-12-10 05:52:25 UTC
Permalink
Post by Egerváry Gergely
Post by Christos Zoulas
Post by Egerváry Gergely
NPF is missing TPROXY / divert sockets functionality.
Can't you use map for those?
Squid transparent/intercept proxy needs to know the original
destination address. With map (DNAT) it's only possible doing
an IOCTL lookup on the NAT table.
IPFilter: SIOCGNATL
PF: DIOCNATLOOK
Unfortunately, it's not implemented in NPF yet.
I just implemented it; see the identd source on how to use it.

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Egerváry Gergely
2016-12-12 09:11:37 UTC
Permalink
Post by Christos Zoulas
Post by Egerváry Gergely
IPFilter: SIOCGNATL
PF: DIOCNATLOOK
Unfortunately, it's not implemented in NPF yet.
I just implemented it; see the identd source on how to use it.
Brilliant! Thank you!
--
Gergely EGERVARY


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...