New PF (OpenBSD 3.7 ***ALPHA-preview***)

Nick Buraglio nick at buraglio.com
Thu Apr 21 07:57:38 PDT 2005 

I was just digging for some info on the newer features and when they'd 
be available in freebsd.  I'll get this on a testing box asap.   The 
effort is greatly appreciated.


------------                           					
- Nick Buraglio,  Network Engineer,  NCSA
- Phone: 217.244.6428
- GnuPG Key: 0x2E5B44F4
------------                          					
On Apr 19, 2005, at 6:12 PM, Max Laier wrote:

> All,
>
> at:
>     http://people.freebsd.org/~mlaier/pf37/
>
> you will find the first shot at the long awaited import of a new 
> version of
> pf.  This is level with what is likely to be shipped as OpenBSD 3.7 and
> includes *most* of the features.  Some are not yet implemented:
>
>  - Filtering on route labels (we don't have any).
>  - Return-rst on IP-less bridges (bridge support is still behind; 
> There is
>    work ongoing to improve this as well, though.).
>  - Congestion prevention/graceful comeback (subject to future work).
>
> There are, however, some hightlights that came with OpenBSD 3.6 and 
> will be
> coming with OpenBSD 3.7 (from the OpenBSD release notes):
>
>  + pfctl(8) now provides a rules optimizer to help improve filtering 
> speed.
>  + pf, now supports nested anchors.
>  + Support limiting TCP connections by establishment rate, 
> automatically
>    adding flooding IP addresses to tables and flushing states
>    (max-src-conn-rate, overload <table>, flush global).
>  + Improved functionality of tags (tag and tagged for translation 
> rules,
>    tagging of all packets matching state entries).
>  + Improved diagnostics (error messages and additional counters from
>    pfctl -si).
>  + New keyword set skip on to skip filtering on arbitrary interfaces, 
> like
>    loopback.
>  + Several bugfixes improving stability.
>
> This import is in a very early stage and you should keep this in mind!
>
> However, it should build and boot just fine.  I have done some basic 
> tests to
> weed out the common problems seen during the last imports, but didn't 
> do
> extensive testing yet.  If you are in a position where you can test 
> this, I
> am looking forward to getting your feedback!
>
> Updates will be posted to the freebsd-pf mailing list.  Thanks.
>
> -- 
> /"\  Best regards,                      | mlaier at freebsd.org
> \ /  Max Laier                          | ICQ #67774661
>  X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
> / \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-pf mailing list