Version of pf in Mac OS X 10.10.4
Version of pf in Mac OS X 10.10.4
- Subject: Version of pf in Mac OS X 10.10.4
- From: Q and A <email@hidden>
- Date: Sat, 25 Jul 2015 13:27:05 -0400
Hello,
I am currently working on pf rulesets for a number of Macs. The syntax of pf.conf is a bit different than that in the most current release of OpenBSD which got me wondering what version of pf is integrated into Mac OS X 10.10.4 (what my workstations are currently running).
According to Peter Hansteens’ book “The Book of pf, 3rd ed”, on page 193:
"In PF versions up to and including OpenBSD 4.5, the scrub keyword enables network traffic normalization. With scrub, fragmented packets
are reassembled, and invalid fragments—such as overlapping fragments—are discarded, so the resulting packet is complete and unambiguous.”
In man pf.conf on Mac OS X 10.10.4, there is mention of this:
"Packet normalization is invoked with the scrub directive.”
Hansteen also notes that post-OpenBSD 4.5, a match rule is used with scrubbing instead:
"In OpenBSD 4.6, scrub was demoted from stand-alone rule material to become an action you could attach to pass or match rules
(the introduction of match rules being one of the main new PF features in OpenBSD 4.6).
…which would imply that if pf in Mac OS X 10.10.4 was in synch with post-OpenBSD 4.5, scrubbing would be accomplished via something like:
match in all scrub …etc.
On :
http://opensource.apple.com/source/xnu/xnu-2782.1.97/bsd/net/pf.c
…I can see the following in the comments:
$OpenBSD: pf.c,v 1.567 2008/02/20 23:40:13 henning Exp $ */
…while on:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c?rev=1.935&content-type=text/x-cvsweb-markup
…I can see the following in the comments:
$OpenBSD: pf.c,v 1.935 2015/07/21 02:32:04 sashan Exp $ */
…so it safe to say that they are not both running the OpenBSD 5.7 version of pf.
What OpenBSD version was pf pulled from for Mac OS X 10.10.4 and looking forward, what version is expected to be in the final El Captain release ?
Thank you for your assistance
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden