- Designed to be fully MP-safe and highly efficient.
- Tables/IP sets (hash or red-black tree) for high performance lookups.
- Stateful filtering and Network Address Port Translation (NAPT).
Framework for application level gateways (ALGs).
- Packet inspection engine called n-code processor - inspired by BPF -
supporting generic RISC-like and specific CISC-like instructions for
common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual.
- Convenient userland utility npfctl(8) with npf.conf(8).
NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.
Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@
and remove renameing _Rune* -> _NBRune* namespace protection.
FreeBSD traditionaly exposes struct _Rune* in runetype.h
which included by ctype.h. it may cause conflicting type error
in our cross build process, former we use renaming namespace
to avoid this problem, now i reworked more resonable way.
2. merge rune_local.h to runetype_local.h, and remove it.
3. split bsdctype.h -> bsdctype_{file,local}.h
2. do not use _CTYPE_NUM_CHARS macro to read data from LC_CTYPE(old BSDCTYPE style) database.
because 1<<CHAR_BIT is MD, so i added MI macro _CTYPE_CACHE_SIZE(1<<8).
3. remove _NB_CACHED_RUNE macro, use _CTYPE_CACHE_SIZE instead.
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to
dump internal configuration of pf, and restore at a latter point, after a
maintenance reboot for example, in a transparent way for user.
This work has been done mostly during my GSoC 2009
No objections on tech-net@
the rump kernel just attaches to / in said rump kernel instance.
This is mostly useful in case wanting to see what nodes components
create (see Makefile).
not built without manual intervention
rmind