NetBSD-SoC: A tool to dump / restore pf state table
What is it?
Pf is a quite famous stateful firewall, first developed for OpenBSD, and then
integrated in both FreeBSD and NetBSD. Pf has a large number of features but
still missing some features existing in other BSD firewall. One of the missing
feature is the possibility to dump the content of state table, store it, and
restore it after for example a reboot (for maintenance issue, for example). The
idea of this GSoC is to provide such a tool for pf, first for the NetBSD
Project, but I hope it will be integrated in other BSD system.
- April 21, 2009: Community Bonding Period -- Students get to know mentors, read documentation, get up to speed to begin working on their projects.
- May 23, 2009: Students begin coding for their GSoC projects; Google begins issuing initial student payments
- July 6, 2009: Mentors and students can begin submitting mid-term evaluations.
- July 13, 2009: Mid-term evaluation deadline; Google begins issuing mid-term student payments provided passing student survey is on file.
- August 10, 2009: Suggested 'pencils down' date. Take a week to scrub code, write tests, improve documentation, etc.
- August 17, 2009: Firm 'pencils down' date. Mentors, students
and organization administrators can begin submitting final evaluations to
- August 24, 2009: Final evaluation deadline; Google begins issuing student and mentoring organization payments provided forms and evaluations are on file.
Exact details need to be discussed with at least, pf mainteners. There is two different parts :
The subject of the GSoC is really close of pfsync. If I get some time at end of the GSoC, I will finish the integration of pfsync in NetBSD.
- a kernel patch which provides an interface to dump / restore the pf internal state table. The patch must provide some way to lock the state table, to be sure that the state table stored is consistent with the real internal table
- an userland tool which permits to call the previous described interface. It will be responsible too to translate the internal data structure to an readable interface. This tool may be a separate binary, or it may be an extension of the current pfctl binary.
How to get it ?
As said previously, there are two different parts :
You need to apply the patch and compile a new kernel (with pf at least). The
tool can be compiled separatly, with bmake. Pfs tool come with a man page, or
you can retrieve the documentation here . If you get
any issues, please send me a mail, with if possible the attached ascii dump.
- a kernel patch, available here
- a tool available here
To be described when the first prototypes are available.
The handling of pf state and proposal to lock state is done here .
NetBSD reference (code and manpage)
Pf source is available in NetBSD tree in src/sys/dist/pf/net. Documentation is
available in pf(4). Unfortunately, there is no documentation of pf internal kernel.
Pfctl source is available in NetBSD tree in src/dist/pf/sbin/pfctl.
Documentation is available in pfctl(8).
During the project, we will need to use the ioctl interface (ioctl(9)) for
the communication between kernel and userland. We may use proplib to exchange
data / store data (proplib(3)). Other option is to use the pfsync internal data
(no man page, the structure can be found in src/sys/dist/pf/net/pfvar.h).
| Arnaud Degroote <degroote@NetBSD.org> |
| $Id: index.html,v 1.4 2009/07/20 18:46:11 zul_ Exp $ |