site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com My link to the man page seems to have been clobbered, but it should describe fairly accurately what I will attempt to implement: http://www.freebsd.org/cgi/man.cgi?query=pf&sektion=4 The OpenBSD guide for pf: http://www.openbsd.org/faq/pf/ And Daniel Hartmeier's (the original author) website: http://www.benzedrine.cx/pf.html In brief, pf (4) brings NAT, QoS, and stateful packet filtering to the kernel, whereas currently we must rely on userland programs like natd and throttled in order to do NAT and QoS, respectively, via Divert sockets. Thus, we take a big hit on performance and flexibility. For instance, to change a port forwarding rule in the current setup one must kill natd, modify either the command line arguments or the config file, then restart natd which results in all NAT connections being dropped in order to change a rule on the fly. Not to mention the time lost in communication from kernel to user and back to kernel a couple of times per packet. Hence the motivation for pf for OS X. Cheers, Joe Josh Graessley <jgraessley@apple.com> said:

Those familiar with the KPIs may not be familiar with pf.

An interface filter or an IP filter are the most likely places to tie in to the stack. I know nothing of pf, so I can't really help with a better answer.

-josh

On Oct 29, 2006, at 9:55 PM, Joseph Gorse wrote:

...

Hello all,

I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ man.cgi?query=pf&sektion=4) to an NKE for use as a replacement or complement to the current ipfw2.

According to the Network Kernel Extensions Programming Guide (http://developer.apple.com/documentation/Darwin/Conceptual/ NKEConceptual/index.html) it seems I might use an Interface Filter KPI mechanism to accomplish such a task. So I ask those who are more familiar with NKEs, is this a reasonable task, am I sane to try it, and do you have any words of advice?

Thank you for your time, Joe Gorse _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/jgraessley% 40apple.com

This email sent to jgraessley@apple.com

-- _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com