Re: Why so many packet filters?

To: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Subject: Re: Why so many packet filters?
From: Paul Goyette <paul%vps1.whooppee.com@localhost>
Date: Mon, 15 Aug 2016 14:08:16 +0800 (PHT)

On Mon, 15 Aug 2016, Ryota Ozaki wrote:

First of all, bpf (bpfjit) is different from the others. bpf sniffs
raw packets on rx/tx in network device drivers (grep bpf_mtap) and
also allows to send raw packets directly via ifp->if_output
(e.g., ether_output). It doesn't provide pass/block filters that
the others provide.

bpfjit is just an optimization option of bpf. So we don't need to
treat it individually.


OK, that makes sense.

pf, ipf and npf provide pass/block functionalities (and more) at
hook points (grep pfil_run_hooks) in the network stack via pfil(9),
which realizes say firewall and NAT/NAPT. They provide similar
functions but unfortunately their functions aren't compatible and
cannot replace one to another easily, IIUC. (Someone would explain
details of the differences.)

I would very much like to know the differences. Also, can you use morethan one of them at a time? Do they share to same "hook points" but

try to install different action routines?

npf is a newer filter than the others and designed for multi-core
systems. So basically we recommend npf when one want to use one of
them newly.

Other than "it's newer", are there any significant differences betweennpf vs pf or ipf?

BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't
well maintained nowadays?

Well, ipf is sort-of OK, since we at least have a reasonably completeset of ATF tests, so if something breaks we should find out. But pfdoesn't seem to have any tests, so we'll never know if it breaks. Itsure would be nice to not have to maintain untested code. :)



+------------------+--------------------------+------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+

Follow-Ups:
- Re: Why so many packet filters?
  - From: Ryota Ozaki

References:
- Why so many packet filters?
  - From: Paul Goyette
- Re: Why so many packet filters?
  - From: Ryota Ozaki

Prev by Date: Re: Why so many packet filters?
Next by Date: Re: Why so many packet filters?
Previous by Thread: Re: Why so many packet filters?
Next by Thread: Re: Why so many packet filters?
Indexes:

Home | Main Index | Thread Index | Old Index