FreeBSD The Power to Serve

pf status update

Contact: Kristof Provost <kp@FreeBSD.org>
Contact: Reid Linnemann <rlinnemann@netgate.com>

Ethernet

pf recently grew support for filtering on Ethernet layer. See the 2021q2 pf_ethernet report.

Since then the Ethernet layer filtering has been extended with:

  • anchor support

  • ability to look into the layer 3 header, for matching with source/destination IP(v4/v6) addresses

  • table support for IP address matching

  • direct dispatch to dummynet

  • pass Ethernet layer packets directly to dummynet, rather than tagging the packets and relying on layer 3 to handle dummynet

Dummynet

pf recently started being able to use dummynet for packet scheduling. This support has been extended and improved, and is now believed to be ready for production.

One notable fix is that reply-to/route-to’d traffic is now subject to dummynet scheduling as well.

Last match timestamp

pf now tracks when a rule was last matched. Similar to ipfw rule timestamps, these timestamps internally are uint32_t snaps of the system "wall time" clock in seconds. (See time(9).) The timestamp is CPU local and updated each time a rule or a state is matched.

Sponsor: Rubicon Communications, LLC ("Netgate")

Last modified on: September 11, 2022 by Maxim Konovalov