Re: bringing pf (4) to OS X via Network Kernel Extension (NKE)
On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ man.cgi?query=pfsektion=4) to an NKE for use as a replacement or complement to the current ipfw2 that is available in current Mac OS X. FreeBSD version will be interesting to from the perspective of a porting effort, because you'll see what portability gunk they've added. But you'll probably want to at least have look at the OpenBSD version. The FreeBSD port of PF lags somewhat behind ours, and there is a fair bit of active development currently being done. However, OpenBSD has traditionally made no particular effort to ensure that PF is portable across the BSDs, and some of PFs more advanced features depend on on features in other parts of the kernel. I'm not familiar with the OS X kernel, so I can't say how hard it's going to be to wedge the PF bits in there, but you may not be able to support everything without significant buy-in and assistance from other OS X developpers. I've posted my intentions in the darwin-dev list as well, asking advice about Apple's NKE. I am soliciting any advice you have before I undertake this task. It seems sane enough to me to want kernelland pf where my only current options ipfw2 with userland natd for NAT and throttled for QoS. Seems sane to me as well, and it would be nice to see the BSD standard for packet filtering available on OSX as well. Are you thinking of porting CARP and pfsync as well?
Re: bringing pf (4) to OS X via Network Kernel Extension (NKE)
On Oct 31, 2006, at 5:52 AM, Ryan McBride wrote: On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ man.cgi?query=pfsektion=4) to an NKE for use as a replacement or complement to the current ipfw2 that is available in current Mac OS X. FreeBSD version will be interesting to from the perspective of a porting effort, because you'll see what portability gunk they've added. But you'll probably want to at least have look at the OpenBSD version. The FreeBSD port of PF lags somewhat behind ours, and there is a fair bit of active development currently being done. However, OpenBSD has traditionally made no particular effort to ensure that PF is portable across the BSDs, and some of PFs more advanced features depend on on features in other parts of the kernel. I'm not familiar with the OS X kernel, so I can't say how hard it's going to be to wedge the PF bits in there, but you may not be able to support everything without significant buy-in and assistance from other OS X developpers. I've posted my intentions in the darwin-dev list as well, asking advice about Apple's NKE. I am soliciting any advice you have before I undertake this task. It seems sane enough to me to want kernelland pf where my only current options ipfw2 with userland natd for NAT and throttled for QoS. Seems sane to me as well, and it would be nice to see the BSD standard for packet filtering available on OSX as well. Are you thinking of porting CARP and pfsync as well? For what it's worth, I had a conversation with Jordan Hubbard at OSCON '05. After seeing the demo we were running at the BSD booth, he mentioned that Apple was looking at porting CARP to OS X. I've seen nothing in the Leopard preview pages to suggest it's on the horizon. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: bringing pf (4) to OS X via Network Kernel Extension (NKE)
Jason Dixon [EMAIL PROTECTED] said: On Oct 31, 2006, at 5:52 AM, Ryan McBride wrote: On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ man.cgi?query=pfsektion=4) to an NKE for use as a replacement or complement to the current ipfw2 that is available in current Mac OS X. FreeBSD version will be interesting to from the perspective of a porting effort, because you'll see what portability gunk they've added. But you'll probably want to at least have look at the OpenBSD version. The FreeBSD port of PF lags somewhat behind ours, and there is a fair bit of active development currently being done. That's what I figured I'd play with first, just because it'll probably be easier at first. However, OpenBSD has traditionally made no particular effort to ensure that PF is portable across the BSDs, and some of PFs more advanced features depend on on features in other parts of the kernel. I'm not familiar with the OS X kernel, so I can't say how hard it's going to be to wedge the PF bits in there, but you may not be able to support everything without significant buy-in and assistance from other OS X developpers. Agreed. It seems OS X has NKEs (Network Kernel Extensions) just for this purpose, though the level that I have to hook into may be tricky (interface filter) with IPv6 and all that, or so I hear. http://developer.apple.com/documentation/Darwin/Conceptual/NKEConceptual/index.html Network Kernel Extensions Overview shows what I have to work with. I've posted my intentions in the darwin-dev list as well, asking advice about Apple's NKE. I am soliciting any advice you have before I undertake this task. It seems sane enough to me to want kernelland pf where my only current options ipfw2 with userland natd for NAT and throttled for QoS. Seems sane to me as well, and it would be nice to see the BSD standard for packet filtering available on OSX as well. Are you thinking of porting CARP and pfsync as well? Yes. Though perhaps not at first. For what it's worth, I had a conversation with Jordan Hubbard at OSCON '05. After seeing the demo we were running at the BSD booth, he mentioned that Apple was looking at porting CARP to OS X. I've seen nothing in the Leopard preview pages to suggest it's on the horizon. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net I hadn't investigated much yet on the possibility that Apple may already be doing this for 10.5, but this seems to make sense. I guess they've been focusing more on the proprietary OS X side of things lately, so I am not holding my breath for major developments with networking in the Darwin kernel. Also, this may seem like a novice question, but where is the best place for me to snag current code from? Also, any additional dev docs or papers that you know of would be much appreciated. Cheers, Joe
Re: bringing pf (4) to OS X via Network Kernel Extension (NKE)
Joseph Gorse wrote: Also, this may seem like a novice question, but where is the best place for me to snag current code from? Also, any additional dev docs or papers that you know of would be much appreciated. Try these for starters. Note that pf has been ported to NetBSD, DragonFly BSD, and even Windows. http://www.openbsd.org/anoncvs.html http://www.openbsd.org/faq/pf http://www.reedmedia.net/books/pf-book http://www.bgnett.no/~peter/pf http://leaf.dragonflybsd.org/cgi/web-man?command=pf http://nedbsd.nl/~ppostma/pf https://solarflux.org/pf http://force.coresecurity.com/index.php?page=about
