Jason Dixon <[EMAIL PROTECTED]> said: > On Oct 31, 2006, at 5:52 AM, Ryan McBride wrote: > > > On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: > >> I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ > >> man.cgi?query=pf&sektion=4) to an NKE for use as a replacement or > >> complement to the current ipfw2 that is available in current Mac > >> OS X. > > > > FreeBSD version will be interesting to from the perspective of a > > porting > > effort, because you'll see what portability gunk they've added. But > > you'll probably want to at least have look at the OpenBSD version. The > > FreeBSD port of PF lags somewhat behind ours, and there is a fair > > bit of > > active development currently being done.
That's what I figured I'd play with first, just because it'll probably be easier at first. > > > > However, OpenBSD has traditionally made no particular effort to ensure > > that PF is portable across the BSDs, and some of PFs more advanced > > features depend on on features in other parts of the kernel. I'm not > > familiar with the OS X kernel, so I can't say how hard it's going > > to be > > to wedge the PF bits in there, but you may not be able to support > > everything without significant buy-in and assistance from other OS X > > developpers. > > Agreed. It seems OS X has NKEs (Network Kernel Extensions) just for this purpose, though the level that I have to hook into may be tricky (interface filter) with IPv6 and all that, or so I hear. http://developer.apple.com/documentation/Darwin/Conceptual/NKEConceptual/index.html "Network Kernel Extensions Overview" shows what I have to work with. > >> I've posted my intentions in the darwin-dev list as well, asking > >> advice about Apple's NKE. > >> > >> I am soliciting any advice you have before I undertake this task. It > >> seems sane enough to me to want kernelland pf where my only current > >> options ipfw2 with userland natd for NAT and throttled for QoS. > > > > Seems sane to me as well, and it would be nice to see the BSD standard > > for packet filtering available on OSX as well. > > > > Are you thinking of porting CARP and pfsync as well? Yes. Though perhaps not at first. > > For what it's worth, I had a conversation with Jordan Hubbard at > OSCON '05. After seeing the demo we were running at the BSD booth, > he mentioned that Apple was looking at porting CARP to OS X. I've > seen nothing in the Leopard preview pages to suggest it's on the > horizon. > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net I hadn't investigated much yet on the possibility that Apple may already be doing this for 10.5, but this seems to make sense. I guess they've been focusing more on the proprietary OS X side of things lately, so I am not holding my breath for major developments with networking in the Darwin kernel. Also, this may seem like a novice question, but where is the best place for me to snag current code from? Also, any additional dev docs or papers that you know of would be much appreciated. Cheers, Joe
