Matthew Dillon <[email protected]> wrote: > PF in master should be able to do it but of course it is quite > experimental. I would worry about the state tables possibly getting > blown out. > > Currently the PF in master is not handling the tcp sequence space > properly and /etc/pf.conf must contain global options as follows > to run reliably: > > set keep-policy keep state (pickups, sloppy) > > PF in 2.6 should work well and not require 'sloppy' (it might not > even support 'sloppy'). > > If you could possibly switch to PF that would be the best thing to > do. Having three different packet filters in DragonFly is just too > many and IPF is the least-used of the three. > > IPSEC is another matter. Any breakage there should be fairly easy to > fix if we can get someone to mess with it. I can mess with it myself > sometime mid-February.
While NPF on NetBSD is still work-in-progress, most features are already implemented and we will be focusing on bug fixing and performance next. http://nxr.netbsd.org/xref/src/sys/net/npf/ Just FYI, in a case you might be interested on alternatives. -- Mindaugas
