Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Why so many packet filters?

On Mon, 15 Aug 2016, Ryota Ozaki wrote:

First of all, bpf (bpfjit) is different from the others. bpf sniffs
raw packets on rx/tx in network device drivers (grep bpf_mtap) and
also allows to send raw packets directly via ifp->if_output
(e.g., ether_output). It doesn't provide pass/block filters that
the others provide.

bpfjit is just an optimization option of bpf. So we don't need to
treat it individually.

OK, that makes sense.

pf, ipf and npf provide pass/block functionalities (and more) at
hook points (grep pfil_run_hooks) in the network stack via pfil(9),
which realizes say firewall and NAT/NAPT. They provide similar
functions but unfortunately their functions aren't compatible and
cannot replace one to another easily, IIUC. (Someone would explain
details of the differences.)

I would very much like to know the differences. Also, can you use more than one of them at a time? Do they share to same "hook points" but
try to install different action routines?

npf is a newer filter than the others and designed for multi-core
systems. So basically we recommend npf when one want to use one of
them newly.

Other than "it's newer", are there any significant differences between npf vs pf or ipf?

BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't
well maintained nowadays?

Well, ipf is sort-of OK, since we at least have a reasonably complete set of ATF tests, so if something breaks we should find out. But pf doesn't seem to have any tests, so we'll never know if it breaks. It sure would be nice to not have to maintain untested code. :)

| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at |

Home | Main Index | Thread Index | Old Index