NetBSD vs. csomagszures (Re: [BSD] pf.conf kerdes)

Kulcsár Ferenc crusader at netbsd.hu
2003. Sze. 2., K, 20:57:08 CEST 

Hello,

On Tue, 02 Sep 2003 09:59:42 +0200
Adam Szilveszter <adam at hif.hu> wrote:

> Marton Fabo wrote:
> 
> 
> > Ha mar itt tartunk, miert szeretjuk a NetBSD-t csomagszuresileg? 
> 
> Nem tudom, de annak orulok, hogy azzal, hogy az ALTQ es a pf elerhetove 
> valik FreeBSD-re, legalabb ott teljes lesz a "keszlet". (A pf mar most 
> bent van a portsban)

es beteheted a NetBSD-currentbe!

Subject: PF for netbsd
To: None <tech-net at netbsd.org>
From: None <itojun at iijlab.net>
List: tech-net
Date: 06/26/2003 19:09:02

	ftp://ftp.kame.net/pub/kame/misc/netbsd-pf-20030626.diff
	has PF (openbsd packet filter) for netbsd-current as of today.

	caveats:
	- does not support (interface) syntax
	- ip_off/ip_len endian flipping needs testing

	my ultimate goal is to replace ipsec policy engine by PF tagging
	(just like ALTQ integration to PF on openbsd).

itojun

aztan folytathatjuk itt:

http://foo.unix.se/joelw/pflkm.html

pf loadable kernel module for NetBSD
Email me (Joel Wilsson) if you have any questions or suggestions.
News
2003-06-26 OpenBSD-current pf patches available for NetBSD-current
  itojun has created patches for NetBSD-current, a port of pf from OpenBSD-current. You can get them here, and you might also want to read his announcement. itojun is a member of the NetBSD Core Group, so obviously he has a much better chance to get pf into the main NetBSD source tree than I do. That means my efforts to do the same are redundant. I'll give him any help he wants or needs, but I don't think this site has much purpose any more. This page will be updated with any further information I get about itojun's port, though.

2003-06-04 pflkm for NetBSD-current available
  Due to popular demand I've made a pflkm for NetBSD-current. Many thanks to Tom Hensel and Peter Postma who both supplied patches (although this new version doesn't use any code from them, they convinced me it was less work than I first thought) and those who asked about support for NetBSD-current - I wouldn't have done this if it wasn't for you.

Information
  The OpenBSD packet filter (or pf, for short) replaced Darren Reed's IP Filter in OpenBSD 3.0, due to problems with IP Filter's license. Since then, pf has evolved quickly, and now has several advantages over IP Filter. Here is a port of the pf code found in OpenBSD 3.3 to NetBSD 1.6.1.
  In my opinion, the biggest advantage is the integration with ALTQ, a QoS framework for various packet scheduling algorithms, but there's also work on adding support for things like stateful failover between pf firewalls. Considering how much work is being done on pf, the advantages over IP Filter will only increase. Therefore, I believe NetBSD will eventually want to integrate pf into NetBSD. Until then, you can use this loadable kernel module to get pf going, although it unfortunately does not support ALTQ (that would require many changes to the kernel, not possible for a mere LKM).
  So why isn't it already in NetBSD-current? Well, core at netbsd.org is of the opinion that pf is not yet mature enough, so they decided to leave it out (at least that's what they thought in January, 2003). I will update this LKM once for every OpenBSD release, until they change their mind, and I also hope to create a set of patches against NetBSD-current with full support for IPv6 and ALTQ.
Installation
First, download and extract the pflkm tar-ball and extract, compile and install it:

$ tar xzf pflkm-3.3.tar.gz
$ cd pflkm-3.3
$ make
$ make install # as root, or use sudo

Now you can load the LKM and create /dev/pf like this:

$ modload -p /sbin/pfmkdev /usr/lkm/pfmodule.o

If you want pf to get loaded automatically at boot time, you need to set LKM=yes in /etc/rc.conf and add this line to /etc/lkm.conf:

/usr/lkm/pfmodule.o - - /sbin/pfmkdev - AFTERMOUNT

And that's all, really. You should now be ready to start using pf under NetBSD. The rest is up to you, but here are some links you might find useful:

PF User's Guide is of course a must read.
Jacek Artymiak's pf articles are very good, well worth reading.
pf-repository is a good place to find examples of rulesets and even more links.


Hat akkor, "stay tuned", ahogy a muvelt francia mondja!

Udv:
	- cr -

További információk a(z) BSD levelezőlistáról