DragonFly BSD
DragonFly kernel List (threaded) for 2011-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Time to let go of ipfilter

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Jan 2011 08:02:48 -0800 (PST)

:2011/1/21 Sepherosa Ziehau <sepherosa@gmail.com>:
:> Hi all,
:Hi sephe
:> ipfilter is not maintained in dragonfly at all, I plan to remove it.
:Just a word about it. Currently we (a french hoster http://www.nfrance.com) use
:DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines)
:with quagga and ipf. And its work really well (better than FreeBSD we were
:previously using).
:Our requirement for routing machines is to be able to gracefuly handle
:200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing
:(full table). Crash test is at 400mb/s in lab.
:We choose ipf for historical reasons (previously used on FreeBSD). But
:we experienced on FreeBSD that it's really faster than pf.
:Do you think there is currently an other software (maybe ipfw) that can
:filter 200/300 mb/s load ?

    PF in master should be able to do it but of course it is quite
    experimental.  I would worry about the state tables possibly getting
    blown out.

    Currently the PF in master is not handling the tcp sequence space
    properly and /etc/pf.conf must contain global options as follows
    to run reliably:

	set keep-policy keep state (pickups, sloppy)

    PF in 2.6 should work well and not require 'sloppy' (it might not
    even support 'sloppy').

    If you could possibly switch to PF that would be the best thing to
    do.  Having three different packet filters in DragonFly is just too
    many and IPF is the least-used of the three.

    IPSEC is another matter.  Any breakage there should be fairly easy to
    fix if we can get someone to mess with it.  I can mess with it myself
    sometime mid-February.

					Matthew Dillon 

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]