The NetBSD Foundation is pleased to announce NPF, a new packet filter
by Mindaugas Rasiukevicius. NPF is designed for high performance on
multiprocessor machines, and for easy extensibility.
Highlights of NPF features include
* MP-safety and locklessness for scalable MP performance: no longer is
the packet filter the bottleneck in your multicore router
* Fast hash-table and red-black tree lookups
* Stateful packet filtering, Network Address Port Translation (NAPT),
and Application-Level Gateways (ALGs) for, e.g., traceroute
* The N-Code processor, a packet-inspection engine inspired by BPF:
the N-Code processor is programmed to match packets using generic,
RISC-like instructions and a few CISC-like instructions for common
patterns such as IPv4 addresses
* Familiar configuration syntax and utilities
* Modularity and extensibility: users extend NPF by loading a kernel
module. NPF provides developers with an extensions API. NPF rules
can embed a hook that invokes an extension
By the end of January, NPF should have all of the capabilities that
NetBSD users have come to expect by using the other filters in the
kernel:
* IPv4 reassembly support
* Bi-directional NAT and port forwarding (re-direction)
* FTP proxy support
* IP header flags cleansing
* ICMP packets and TCP RST packet blocking
* Save/restore state
* Packet logging, configurable using filter rules
Rasiukevicius will also write documentation and configuration examples.
Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to
provide technical support to developers who will add IPv6 support to
NPF. An outline of the steps to IPv6 support will be forthcoming.
NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF
is unique for using a bytecode interpreter in its packet-inspection
engine, and for answering the question, “What does a packet filter
designed from the bottom up for multiprocessor systems look like?”
NPF development is sponsored by the NetBSD Foundation.
–
David Young
On Behalf of The NetBSD Foundation
