VIMAGE/VNETs support for PF

Craig Rodrigues rodrigc at freebsd.org
Fri Dec 12 02:39:14 UTC 2014


On Thu, Nov 13, 2014 at 02:17:54PM -0500, suraj sandhu wrote:
> Hi all,
> 
> I am working on a product which used ipfilter but since ipfilter is not
> supported by the FreeBSD community anymore and  doesn't support VNETs, I
> need to make a choice between IPFW and PF.
> 
> I know IPFW is supported and works with VIMAGE, can someone here please let
> me know if the PF also works with VIMAGE, specifically in FreeBSD 9?

Can you describe what kind of product you are working on,
and your requirements?

Are you interested in:
     (1)  Using a system with VIMAGE compiled into the kernel,
          using the packet filter (IPFW, ipfilter, or PF)
          *not* inside a VNET jail.

     (2)  Using a system with VIMAGE compiled into the kernel,
          *and* using the packet filter (IPFW, ipfilter, or PF) inside a VNET jail.

My experience on what works in FreeBSD 9 is based on working with FreeNAS
(which is derived from FreeBSD 9):

ipfw:  Seems to work with (1) or (2) with least problems, but needs more investigation
pf:    Seems to work with (1), but (2) has problems some of which are fixed in FreeBSD 10
ipfilter:  crashes on bootup

I committed one fix for ipfilter which is not in FreeBSD 9: https://lists.freebsd.org/pipermail/svn-src-all/2014-November/095036.html

which addresses (1) but not (2).

-- 
Craig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20141211/7246ef3e/attachment.sig>


More information about the freebsd-pf mailing list