NetBSD's itojun has ported PF (openbsd packet filter) to netbsd-current as of today as a patch. He says that presently it does not support (interface) syntax and ip_off/ip_len endian flipping needs testing. His ultimate goal is to replace ipsec policy engine by PF tagging (just like ALTQ integration to PF on openbsd). Syslogging is supported by pflog(8). He is also unsure if the goal would be to replace ipfilter, or have pf be an alternative. He says that freebsd has 2 packet filters (or 3?) shipped with it and has no problem, hence both could be shipped simultaneously. But ipfilter and PF have very similar syntax, so we could choose to replace ipfilter with PF. itojun is a member of the
NetBSD Core Group. Joel Wilsson
had also started the pf migration efforts and hopefully itojun and Joel can pool their efforts together as a team!
[
Read email]
----------------------------------------------------
Subject:
PF for netbsd
To: None <tech-net@netbsd.org>
From: None <itojun@iijlab.net>
List: tech-net
Date: 06/26/2003 19:09:02
http://web.archive.org/web/20051125170343/ftp://ftp.kame.net/pub/kame/misc/netbsd-pf-20030626.diff
has PF (openbsd packet filter) for netbsd-current as of today.
caveats:
- does not support (interface) syntax
- ip_off/ip_len endian flipping needs testing
my ultimate goal is to replace ipsec policy engine by PF tagging
(just like ALTQ integration to PF on openbsd).
itojun
--------------------
Subject:
Re: PF for netbsd
To: None <tech-net@netbsd.org>
From: None <itojun@iijlab.net>
List: tech-net
Date: 06/28/2003 08:22:48
this is what i've done so far. of course you can put more complex
PF rule for tagging. it basically eliminates code dupes between
ipsec policy engine (which is essentially a packet filter) and PF
(or ipf, if it starts support tagging).
itojun
------- Forwarded Message
To:
snap-users@kame.net
From:
itojun@iijlab.net
Date: Sat, 28 Jun 2003 08:15:18 +0900
Subject: (KAME-snap 7878) PF tag and IPsec - usage example
on kame/netbsd we have integrated PF (from openbsd) and KAME
IPsec policy lookup engine (by using PF tags).
here's a simple example which demonstrates its use.
itojun
1. setup policy like below:
# setkey -c <<EOF
spdadd tagged "ssh" -P in ipsec esp/transport//use;
spdadd 127.0.0.1 127.0.0.1 -P in ipsec esp/transport//require;
^D
(for traffic tagged with "ssh", ipsec is not mandatory; otherwise, ipsec is
mandatory)
2. setup pfkey like below:
# pfctl -e
# pfctl -f -
pass in on lo0 proto tcp from any to any port = ssh keep state tag ssh
pass out on lo0 proto tcp from any to any port = ssh keep state tag ssh
^D
(tag ssh traffic with "ssh")
3.
now, "telnet 127.0.0.1 25" will be banned as response packet is not
IPsec protected (there's no SA). "telnet 127.0.0.1 22" will be okay as
it will be tagged by "ssh".
4. caveat
on outbound path, the order is (1) ipsec policy lookup (2) packet filtering,
therefore, tags attached on outbound is not be usable on outbound ipsec policy.
(for a router, tagging on inbound interface -> policy on outgoing would be
very useful, i think)
------- End of Forwarded Message
