On Oct 31, 2006, at 5:52 AM, Ryan McBride wrote:
On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote:
I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/
man.cgi?query=pf&sektion=4) to an NKE for use as a replacement or
complement to the current ipfw2 that is available in current Mac
OS X.
FreeBSD version will be interesting to from the perspective of a
porting
effort, because you'll see what portability gunk they've added. But
you'll probably want to at least have look at the OpenBSD version. The
FreeBSD port of PF lags somewhat behind ours, and there is a fair
bit of
active development currently being done.
However, OpenBSD has traditionally made no particular effort to ensure
that PF is portable across the BSDs, and some of PFs more advanced
features depend on on features in other parts of the kernel. I'm not
familiar with the OS X kernel, so I can't say how hard it's going
to be
to wedge the PF bits in there, but you may not be able to support
everything without significant buy-in and assistance from other OS X
developpers.
I've posted my intentions in the darwin-dev list as well, asking
advice about Apple's NKE.
I am soliciting any advice you have before I undertake this task. It
seems sane enough to me to want kernelland pf where my only current
options ipfw2 with userland natd for NAT and throttled for QoS.
Seems sane to me as well, and it would be nice to see the BSD standard
for packet filtering available on OSX as well.
Are you thinking of porting CARP and pfsync as well?
For what it's worth, I had a conversation with Jordan Hubbard at
OSCON '05. After seeing the demo we were running at the BSD booth,
he mentioned that Apple was looking at porting CARP to OS X. I've
seen nothing in the Leopard preview pages to suggest it's on the
horizon.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
