On Mon, Aug 15, 2016 at 12:10 PM, Paul Goyette <[email protected]> wrote: > Taking a quick look, it seems that we have at least four (maybe five) > different packet filters available. > > pf > ipf > bpf (and bpfjit) > npf > > Is there a concise description of each, and when to use one vs the > other?
(I'm not so familiar with filters, so please someone correct me if I'm wrong.) First of all, bpf (bpfjit) is different from the others. bpf sniffs raw packets on rx/tx in network device drivers (grep bpf_mtap) and also allows to send raw packets directly via ifp->if_output (e.g., ether_output). It doesn't provide pass/block filters that the others provide. bpfjit is just an optimization option of bpf. So we don't need to treat it individually. pf, ipf and npf provide pass/block functionalities (and more) at hook points (grep pfil_run_hooks) in the network stack via pfil(9), which realizes say firewall and NAT/NAPT. They provide similar functions but unfortunately their functions aren't compatible and cannot replace one to another easily, IIUC. (Someone would explain details of the differences.) npf is a newer filter than the others and designed for multi-core systems. So basically we recommend npf when one want to use one of them newly. BTW should we mark pf and ipf deprecated in netbsd-8 as they aren't well maintained nowadays? ozaki-r
