• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: bringing pf (4) to OS X via NKE
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bringing pf (4) to OS X via NKE

  • Subject: Re: bringing pf (4) to OS X via NKE
  • From: <email@hidden>
  • Date: Mon, 30 Oct 2006 20:49:23 -0000
My link to the man page seems to have been clobbered, but it should describe
fairly accurately what I will attempt to implement:
http://www.freebsd.org/cgi/man.cgi?query=pf&sektion=4

The OpenBSD guide for pf:
http://www.openbsd.org/faq/pf/

And Daniel Hartmeier's (the original author) website:
http://www.benzedrine.cx/pf.html

In brief, pf (4) brings NAT, QoS, and stateful packet filtering to the kernel,
whereas currently we must rely on userland programs like natd and throttled in
order to do NAT and QoS, respectively, via Divert sockets. Thus, we take a big
hit on performance and flexibility. For instance, to change a port forwarding
rule in the current setup one must kill natd, modify either the command line
arguments or the config file, then restart natd which results in all NAT
connections being dropped in order to change a rule on the fly. Not to mention
the time lost in communication from kernel to user and back to kernel a couple
of times per packet. Hence the motivation for pf for OS X.

Cheers,
Joe

Josh Graessley <email@hidden> said:

>
> Those familiar with the KPIs may not be familiar with pf.
>
> An interface filter or an IP filter are the most likely places to tie
> in to the stack. I know nothing of pf, so I can't really help with a
> better answer.
>
> -josh
>
> On Oct 29, 2006, at 9:55 PM, Joseph Gorse wrote:
>
> > Hello all,
> >
> > I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/
> > man.cgi?query=pf&sektion=4) to an NKE for use as a replacement or
> > complement to the current ipfw2.
> >
> > According to the Network Kernel Extensions Programming Guide
> > (http://developer.apple.com/documentation/Darwin/Conceptual/
> > NKEConceptual/index.html) it seems I might use an Interface Filter
> > KPI mechanism to accomplish such a task. So I ask those who are
> > more familiar with NKEs, is this a reasonable task, am I sane to
> > try it, and do you have any words of advice?
> >
> > Thank you for your time,
> > Joe Gorse
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > Darwin-dev mailing list      (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> > 40apple.com
> >
> > This email sent to email@hidden
>
>



--



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >bringing pf (4) to OS X via NKE (From: Joseph Gorse <email@hidden>)
 >Re: bringing pf (4) to OS X via NKE (From: Josh Graessley <email@hidden>)

  • Prev by Date: Re: bringing pf (4) to OS X via NKE
  • Next by Date: Re: Directory Services only returns 1000 users from Active Directory/All Domains/Users
  • Previous by thread: Re: bringing pf (4) to OS X via NKE
  • Next by thread: Re: bringing pf (4) to OS X via NKE
  • Index(es):
    • Date
    • Thread