Re: Why so many packet filters?

[Ryota Ozaki <ozaki-r%netbsd.org@localhost>]

On Mon, Aug 15, 2016 at 12:10 PM, Paul Goyette <paul%vps1.whooppee.com@localhost> wrote:
> Taking a quick look, it seems that we have at least four (maybe five)
> different packet filters available.
>
>         pf
>         ipf
>         bpf (and bpfjit)
>         npf
>
> Is there a concise description of each, and when to use one vs the
> other?

(I'm not so familiar with filters, so please someone correct me
 if I'm wrong.)

First of all, bpf (bpfjit) is different from the others. bpf sniffs
raw packets on rx/tx in network device drivers (grep bpf_mtap) and
also allows to send raw packets directly via ifp->if_output
(e.g., ether_output). It doesn't provide pass/block filters that
the others provide.

bpfjit is just an optimization option of bpf. So we don't need to
treat it individually.

pf, ipf and npf provide pass/block functionalities (and more) at
hook points (grep pfil_run_hooks) in the network stack via pfil(9),
which realizes say firewall and NAT/NAPT. They provide similar
functions but unfortunately their functions aren't compatible and
cannot replace one to another easily, IIUC. (Someone would explain
details of the differences.)

npf is a newer filter than the others and designed for multi-core
systems. So basically we recommend npf when one want to use one of
them newly.

BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't
well maintained nowadays?

  ozaki-r