Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Why so many packet filters?
On Mon, Aug 15, 2016 at 12:10 PM, Paul Goyette <paul%vps1.whooppee.com@localhost> wrote:
> Taking a quick look, it seems that we have at least four (maybe five)
> different packet filters available.
>
> pf
> ipf
> bpf (and bpfjit)
> npf
>
> Is there a concise description of each, and when to use one vs the
> other?
(I'm not so familiar with filters, so please someone correct me
if I'm wrong.)
First of all, bpf (bpfjit) is different from the others. bpf sniffs
raw packets on rx/tx in network device drivers (grep bpf_mtap) and
also allows to send raw packets directly via ifp->if_output
(e.g., ether_output). It doesn't provide pass/block filters that
the others provide.
bpfjit is just an optimization option of bpf. So we don't need to
treat it individually.
pf, ipf and npf provide pass/block functionalities (and more) at
hook points (grep pfil_run_hooks) in the network stack via pfil(9),
which realizes say firewall and NAT/NAPT. They provide similar
functions but unfortunately their functions aren't compatible and
cannot replace one to another easily, IIUC. (Someone would explain
details of the differences.)
npf is a newer filter than the others and designed for multi-core
systems. So basically we recommend npf when one want to use one of
them newly.
BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't
well maintained nowadays?
ozaki-r
Home |
Main Index |
Thread Index |
Old Index