免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 2329 | 回复: 0

Introducing NPF, NetBSD's new packet filter [复制链接]

论坛徽章:
0
发表于 2010-09-17 11:10 |显示全部楼层
http://mail-index.netbsd.org/net ... 9/13/msg000110.html

期待ing

The NetBSD Foundation is pleased to announce NPF, a new packet filter
by Mindaugas Rasiukevicius.  NPF is designed for high performance on
multiprocessor machines, and for easy extensibility.

Highlights of NPF features include

* MP-safety and locklessness for scalable MP performance: no longer is
  the packet filter the bottleneck in your multicore router

* Fast hash-table and red-black tree lookups

* Stateful packet filtering, Network Address Port Translation (NAPT),
  and Application-Level Gateways (ALGs) for, e.g., traceroute

* The N-Code processor, a packet-inspection engine inspired by BPF:
  the N-Code processor is programmed to match packets using generic,
  RISC-like instructions and a few CISC-like instructions for common
  patterns such as IPv4 addresses

* Familiar configuration syntax and utilities

* Modularity and extensibility: users extend NPF by loading a kernel
  module.  NPF provides developers with an extensions API.  NPF rules
  can embed a hook that invokes an extension

By the end of January, NPF should have all of the capabilities that
NetBSD users have come to expect by using the other filters in the
kernel:

        * IPv4 reassembly support
        * Bi-directional NAT and port forwarding (re-direction)
        * FTP proxy support
        * IP header flags cleansing
        * ICMP packets and TCP RST packet blocking
        * Save/restore state
        * Packet logging, configurable using filter rules

Rasiukevicius will also write documentation and configuration examples.

Beyond that, NPF needs code for IPv6 support.  Rasiukevicius agrees to
provide technical support to developers who will add IPv6 support to
NPF.  An outline of the steps to IPv6 support will be forthcoming.

NPF is the third packet filter in NetBSD, after IP Filter and PF.  NPF
is unique for using a bytecode interpreter in its packet-inspection
engine, and for answering the question, "What does a packet filter
designed from the bottom up for multiprocessor systems look like?"

NPF development is sponsored by the NetBSD Foundation.

--
David Young
On Behalf of The NetBSD Foundation
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP