On Mon, Oct 30, 2006 at 01:41:48AM -0500, Joseph Gorse wrote: > I'm posting my intention to port pf (4) (http://www.freebsd.org/cgi/ > man.cgi?query=pf&sektion=4) to an NKE for use as a replacement or > complement to the current ipfw2 that is available in current Mac OS X.
FreeBSD version will be interesting to from the perspective of a porting effort, because you'll see what portability gunk they've added. But you'll probably want to at least have look at the OpenBSD version. The FreeBSD port of PF lags somewhat behind ours, and there is a fair bit of active development currently being done. However, OpenBSD has traditionally made no particular effort to ensure that PF is portable across the BSDs, and some of PFs more advanced features depend on on features in other parts of the kernel. I'm not familiar with the OS X kernel, so I can't say how hard it's going to be to wedge the PF bits in there, but you may not be able to support everything without significant buy-in and assistance from other OS X developpers. > I've posted my intentions in the darwin-dev list as well, asking > advice about Apple's NKE. > > I am soliciting any advice you have before I undertake this task. It > seems sane enough to me to want kernelland pf where my only current > options ipfw2 with userland natd for NAT and throttled for QoS. Seems sane to me as well, and it would be nice to see the BSD standard for packet filtering available on OSX as well. Are you thinking of porting CARP and pfsync as well?
