From owner-freebsd-pf@FreeBSD.ORG Fri Dec 12 02:39:14 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62363641 for ; Fri, 12 Dec 2014 02:39:14 +0000 (UTC) Received: from mail-pd0-x22e.google.com (mail-pd0-x22e.google.com [IPv6:2607:f8b0:400e:c02::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AA78BD3 for ; Fri, 12 Dec 2014 02:39:14 +0000 (UTC) Received: by mail-pd0-f174.google.com with SMTP id fp1so6179131pdb.5 for ; Thu, 11 Dec 2014 18:39:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=w3BgCFgvCayobR8ztNJj2r4wCg86VECurHF4m5h15Mw=; b=XQ8APi/H+fdC10+Oe6YbHG31D+n7nmTXvnUdPMsAStIjKx/DOu44HS0ntbGVl9OO1N 4U6CRFrDhkOiz6G/2VFQicH/PiujptUWOfNqMfWjct57rk5NKgd70KyYfxdKOOPymGqR CQpbSGjEvPrR074r/oeA4u4wfVg+xxR2H/VR5p3SUmYKxqx/GG8V3PUCdgMIhMJqSi6M vjlgMkIFOfNZC0qOSRA/JNTYTp3Tf/iDi3Hg6nG2IEw43Z7sBA+SPAsTyOpyIEUSGJP+ dAdXTLrKGacWYXWAYb99zK8A2E3jMoAptEIActcM3M1cjRyTs3Ef0sbK++hiHsKtaHB+ 6TGg== X-Received: by 10.70.19.101 with SMTP id d5mr22979645pde.10.1418351953710; Thu, 11 Dec 2014 18:39:13 -0800 (PST) Received: from dibbler.crodrigues.org (c-24-6-186-207.hsd1.ca.comcast.net. [24.6.186.207]) by mx.google.com with ESMTPSA id ur2sm1527pbc.51.2014.12.11.18.39.11 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Dec 2014 18:39:12 -0800 (PST) Sender: Craig Rodrigues Date: Thu, 11 Dec 2014 18:39:04 -0800 From: Craig Rodrigues To: suraj sandhu Subject: Re: VIMAGE/VNETs support for PF Message-ID: <20141212023904.GA2184@dibbler.crodrigues.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2014 02:39:14 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 13, 2014 at 02:17:54PM -0500, suraj sandhu wrote: > Hi all, >=20 > I am working on a product which used ipfilter but since ipfilter is not > supported by the FreeBSD community anymore and doesn't support VNETs, I > need to make a choice between IPFW and PF. >=20 > I know IPFW is supported and works with VIMAGE, can someone here please l= et > me know if the PF also works with VIMAGE, specifically in FreeBSD 9? Can you describe what kind of product you are working on, and your requirements? Are you interested in: (1) Using a system with VIMAGE compiled into the kernel, using the packet filter (IPFW, ipfilter, or PF) *not* inside a VNET jail. (2) Using a system with VIMAGE compiled into the kernel, *and* using the packet filter (IPFW, ipfilter, or PF) inside a VN= ET jail. My experience on what works in FreeBSD 9 is based on working with FreeNAS (which is derived from FreeBSD 9): ipfw: Seems to work with (1) or (2) with least problems, but needs more in= vestigation pf: Seems to work with (1), but (2) has problems some of which are fixed= in FreeBSD 10 ipfilter: crashes on bootup I committed one fix for ipfilter which is not in FreeBSD 9: https://lists.f= reebsd.org/pipermail/svn-src-all/2014-November/095036.html which addresses (1) but not (2). --=20 Craig --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSKVUIACgkQ0gqKKjmYR53u6wCfbdYKMDo4JSIBROIb+RBB3Ct3 NUIAni2cKxc3ixMRFRgU0wA9owduurwy =cnQ5 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--