Subject: pf for NetBSD, strike two
To: None <current-users@netbsd.org, tech-net@netbsd.org>
From: Joel Wilsson <joelw@unix.se>
List: current-users
Date: 01/05/2003 02:08:07
I've once again ported OpenBSD's pf to NetBSD, this time as a pure
LKM to make testing easier. A tar-ball can be downloaded here:
http://w1.586.telia.com/~u58619491/NetBSD/pflkm_20030105.tar.gz

ALTQ isn't supported, because we'll have to change our ALTQ headers
to make them work properly with pf. For example, both altq_hfsc.h
and altq_priq.h define struct class_stats, so they collide, and
pfctl/parse.y #include both.

IPv6 isn't supported either, simply because I do not (yet) have an
IPv6 network to test it with. It should be easy to add support for
that, though.

If someone asks about the advantages of pf over ipfilter again...
well, a lot more people are working on it, the integration with
ALTQ is quite nice, the code is much cleaner than ipfilter's and
it is was designed with IPv6 in mind from the beginning.

Please give it a try. As a start, you can look at its state info
by doing something like this:
$ tar xfvz pflkm_20030105.tar.gz
$ cd pflkm/
$ make
$ sudo /sbin/modload lkm/pfmodule.o
Module loaded as ID 0
$ modstat
Type    Id   Offset Loadaddr Size Info     Rev Module Name
DEV       0  -1/98  dc8f3000 0050 dc904ae0   1 pf
$ sudo /sbin/mknod /dev/pf c 98 0  # assuming it was loaded in
                                    # slot 98, as it was for me.
$ echo pass in all keep state > /tmp/passall.conf
$ echo pass out all keep state >> /tmp/passall.conf
$ cd sbin/pfctl/
$ sudo ./pfctl -e -f /tmp/passall.conf
pf enabled
<do something like ftp to ftp.netbsd.org in another terminal>
$ ./pfctl -ss  # shows all states

Note that you *must* have compiled your kernel with PFIL_HOOKS. If
you're running a GENERIC kernel you already have it. You must also
be running a reasonably new -current. You can unload the module
with sudo /sbin/modunload -n pf whenever you want to.

Let me know if you run into any trouble.
Thanks,
   joelw