[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Why so many packet filters?
On Mon, Aug 15, 2016 at 12:10 PM, Paul Goyette <paul%vps1.whooppee.com@localhost> wrote:
> Taking a quick look, it seems that we have at least four (maybe five)
> different packet filters available.
> bpf (and bpfjit)
> Is there a concise description of each, and when to use one vs the
(I'm not so familiar with filters, so please someone correct me
if I'm wrong.)
First of all, bpf (bpfjit) is different from the others. bpf sniffs
raw packets on rx/tx in network device drivers (grep bpf_mtap) and
also allows to send raw packets directly via ifp->if_output
(e.g., ether_output). It doesn't provide pass/block filters that
the others provide.
bpfjit is just an optimization option of bpf. So we don't need to
treat it individually.
pf, ipf and npf provide pass/block functionalities (and more) at
hook points (grep pfil_run_hooks) in the network stack via pfil(9),
which realizes say firewall and NAT/NAPT. They provide similar
functions but unfortunately their functions aren't compatible and
cannot replace one to another easily, IIUC. (Someone would explain
details of the differences.)
npf is a newer filter than the others and designed for multi-core
systems. So basically we recommend npf when one want to use one of
BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't
well maintained nowadays?
Main Index |
Thread Index |