KernelTrap - PF

C2K8 OpenBSD Hackathon

Jeremy — Thu, 29 May 2008 01:01:51 +0000

"The OpenBSD Foundation is pleased to announce that it has completed arrangements with the University of Alberta in Edmonton to host the 2008 Annual OpenBSD Developer's Conference (C2K8 Hackathon) from June 7 to June 15, 2008," stated an announcement by the OpenBSD Foundation, continuing:

"The facility support from the University of Alberta Computer Science Department will provide C2K8 the best facilities yet for the annual OpenBSD Developer Conference. C2K8 will be the 10th annual event of its kind. Previous hackathons have produced tools such as the PF firewall, OpenBGP, relayd and spamd, as well as innumerable critical improvements to OpenBSD, OpenSSH, and related projects.

"This year, the OpenBSD Foundation will disburse approximately $15,000 to support C2K8, enabling more than 50 OpenBSD developers from around the world to attend this important event. The Foundation thanks all who have generously donated the resources to make C2K8 possible."

Fair Queuing For ALTQ

Jeremy — Thu, 10 Apr 2008 19:45:07 +0000

"I have a question for the PF/ALTQ masters out there," Matthew Dillon began on the DragonFlyBSD kernel mailing list, having recently switched from using a Cisco router to a DragonFlySD server running PF. "I am trying to configure PF in a manner similar to what Cisco's fair-queue algorithm does. Cisco's algorithm basically hashes TCP and UDP traffic based on the port/IP pairs, creating a bunch of lists of backlogged packets and then schedules the packets at the head of each list." He went on to explain that he was unsuccessfully trying to configure the same thing with PF, "neither CBQ nor HFSC seem to work well. I can separate certain types of traffic but the real problem is when there are multiple TCP connections that are essentially classified the same, and one is hogging the outgoing bandwidth. So the question is, is there a PF solution for that or do I need to write a new ALTQ mechanic to implement fair queueing?"

Not finding a solution, he followed with a series of patches implementing what he needed. He explained the resulting logic noting, "unless something comes up I am going to commit this to DragonFly on Friday and call it done. I would be pleased if other projects picked up some or all of the work":

"The queues are scanned from highest priority to lowest priority; if the packet bandwidth on the queue does not exceed the bandwidth parameter and a packet is available, a packet will be chosen fro that queue; if a packet is available but the queue has exceeded the specified bandwidth, the next lower priority queue is scanned (and so forth); if NO lower priority queues either have packets or are all over the bandwidth limit, then a packet will be taken from the highest priority queue with a packet ready; packet rate can exceed the queue bandwidth specification (but will not exceed the interface bandwidth specification, of course), but under full saturation the average bandwidth for any given queue will be limited to the specified value."

Interview: Ryan McBride

Jeremy — Wed, 07 Apr 2004 11:38:53 +0000

Ryan McBride works full time on OpenBSD development. His first contribution was adding IPv6 support to PF, OpenBSD's stateful packet filter. More recently he was the primary developer of CARP, the Common Address Redundancy Protocol, a patent-free alternative to HSRP and VRRP.

Feature: Porting The PF Stateful Packet Filter

Jeremy — Tue, 08 Apr 2003 21:52:00 +0000

The upcoming release of OpenBSD 3.3 on May 1'st will include, among many other improvements, a notably enhanced version of PF, OpenBSD's stateful packet filter. Some of the more significant enhancements to PF include: 'queues', allowing for per-rule bandwidth control [story]; 'pool options', allowing one to utilize multiple uplinks and to intelligently redirect traffic to multiple servers; 'anchors', which allow one to divide packet filtering rule lists into logical pieces; 'tables', efficiently allowing for very large lists; and other parser improvements that make an already friendly syntax more human readable.

PF replaced its predecessor, IPF, with the release of OpenBSD 3.0 in December of 2001. Since that time, this impressive and relatively new packet filter has grown a faithful following (myself included), and continues to evolve rapidly with each new OpenBSD release. Perhaps the greatest compliment, developers have begun to port PF to other operating systems. Back in January, Joel Wilsson announced his effort to port PF to NetBSD. And more recently, Pyun YongHyeon announced his port for FreeBSD.

I approached Pyun to learn more about his recent porting efforts. In the following article he explains why he began working on this port, and what FreeBSD users can expect from the project. Additionally, I spoke with PF creator Daniel Hartmeier [interview], PF developer Henning Brauer, and OpenBSD creator Theo de Raadt [interview]. They all reflect on these recent porting efforts, as well as the exciting new features found in OpenBSD's PF.