New PF (OpenBSD 3.7 ***ALPHA-preview***)

From: Max Laier (max_at_love2party.net)
Date: 04/20/05

  • Next message: Kris Kennaway: "Re: "panic: trap: fast data access mmu miss" in m_copym" 
    To: freebsd-pf@freebsd.org
Date: Wed, 20 Apr 2005 01:12:30 +0200

    All,

    at:
        http://people.freebsd.org/~mlaier/pf37/

    you will find the first shot at the long awaited import of a new version of
    pf. This is level with what is likely to be shipped as OpenBSD 3.7 and
    includes *most* of the features. Some are not yet implemented:

     - Filtering on route labels (we don't have any).
     - Return-rst on IP-less bridges (bridge support is still behind; There is
       work ongoing to improve this as well, though.).
     - Congestion prevention/graceful comeback (subject to future work).

    There are, however, some hightlights that came with OpenBSD 3.6 and will be
    coming with OpenBSD 3.7 (from the OpenBSD release notes):

     + pfctl(8) now provides a rules optimizer to help improve filtering speed.
     + pf, now supports nested anchors.
     + Support limiting TCP connections by establishment rate, automatically
       adding flooding IP addresses to tables and flushing states
       (max-src-conn-rate, overload <table>, flush global).
     + Improved functionality of tags (tag and tagged for translation rules,
       tagging of all packets matching state entries).
     + Improved diagnostics (error messages and additional counters from
       pfctl -si).
     + New keyword set skip on to skip filtering on arbitrary interfaces, like
       loopback.
     + Several bugfixes improving stability.

    This import is in a very early stage and you should keep this in mind!

    However, it should build and boot just fine. I have done some basic tests to
    weed out the common problems seen during the last imports, but didn't do
    extensive testing yet. If you are in a position where you can test this, I
    am looking forward to getting your feedback!

    Updates will be posted to the freebsd-pf mailing list. Thanks. 

    -- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

  • Next message: Kris Kennaway: "Re: "panic: trap: fast data access mmu miss" in m_copym"

    Relevant Pages

    • Re: Firewall on "public IP" network
      ... filtering suite, ... accomplished in the lower layers such as packet filtering and bandwidth ... this Linux didn't have support for filtering 'bridged' frames/packets so I ... I do this type of work a lot with OpenBSD and can be done ...
      (comp.security.firewalls)
    • Re: Firewall on "public IP" network
      ... > filtering suite, but this can still be ... > accomplished in the lower layers such as packet filtering and bandwidth ... > this Linux didn't have support for filtering 'bridged' frames/packets so I ... > I do this type of work a lot with OpenBSD and can be ...
      (comp.security.firewalls)