NetBSD Packet Filter information
The OpenBSD Packet Filter has been integrated in NetBSD since July 2004 and the first supporting release was NetBSD 3.0. Usage of PF in NetBSD is basically the same as in OpenBSD, but there are a few differences. This page tries to explain the differences and provides additional information about the port and integration of PF in NetBSD.
- Kernel options
- Enabling PF
- PF in bridge setup
- Differences with OpenBSD
NetBSD 4.0 includes PF from OpenBSD 3.7 with patches from the 3.7 branch.
NetBSD 3.0 was the first release with official support for PF. It includes PF from OpenBSD 3.6 with patches from the 3.6 branch.
Kernel options (top)
To use PF, you don't need to compile your own kernel. In versions of
NetBSD prior to 6.0, you can use the LKM
. Use modload(8) to load the LKM:
# modload /usr/lkm/pf.o
To use PF with NetBSD 6.0 (on architectures that support modules), you
can use the module
Use modload(8) to load the module (if it was not loaded at boot
# modload pf
But if you prefer to use PF in the base kernel, then you need at least the following option enabled:
options PFIL_HOOKS # pfil(9) packet filter hooks
This option should be enabled in the GENERIC kernel by default. To enable PF in the kernel, the following pseudo-devices should be added to the kernel configuration:
pseudo-device pf # PF packet filter pseudo-device pflog # PF log interface
If you're not interested in logging packets with PF, then you might want to leave out the pflog device.
You need to recompile and install the kernel for the settings to take effect.
Enabling PF (top)
To enable PF at boot-time, set
Please note that the boot procedure will be aborted if the PF configuration
file doesn't exist
(see also Configuration).
To start, stop, restart or reload PF manually, you can use the rc.d script
On NetBSD versions older than 6.0, to load the LKM at boot-time, you
need to set
/etc/rc.conf and add the following line to
/usr/lkm/pf.o - - - - BEFORENET
Beginning with NetBSD 6.0, to load the module at boot-time (on
architectures that support modules), you simply need to edit
/etc/rc.conf as noted above.
If /usr is on another partition from the root partition, you'll also need to
add the following to
The default configuration file is
This can be changed by setting the variable
The initial configuration file is
/etc/defaults/pf.boot.conf. This configuration is only
used during the network configuration to protect the machine from
possible attacks. You can override the default initial configuration by
creating a file named
/etc/pf.boot.conf, but that
should not be needed in most setups.
Please see pf.boot.conf(5) for more information about this file.
The syntax of both configuration files are described in the manual page pf.conf(5).
PF in bridge setup (top)
PF in bridging mode is supported, but you need to compile a new kernel to enable packet filtering on a bridge. The following line should be added to the kernel configuration:
options BRIDGE_IPF # bridge uses IP/IPv6 pfil hooks too
# brconfig bridgeN ipf
The "ipf" option also applies to PF, because this option actually enables the pfil(9) interface. PF should now be able to filter packets on the interfaces configured as the bridge. Note that it's only needed to filter on one interface because the same data goes through both interfaces.
Using ALTQ in PF is supported since NetBSD 4.0. The following kernel options are relevant:
options ALTQ # Manipulate network interfaces' output queues options ALTQ_CBQ # Class-Based Queueing options ALTQ_HFSC # Hierarchical Fair Service Curve options ALTQ_PRIQ # Priority Queueing options ALTQ_RED # Random Early Detection
Please note that you must compile pf in the kernel, using the PF LKM and ALTQ in the kernel will not work.
For the configuration of ALTQ is nothing special needed, just follow the documentation to
setup the rules. Some example rules can be found in
Differences with OpenBSD (top)
There are a few differences in PF for NetBSD when compared to OpenBSD. Most of them are missing features.
- pfsync(4) is supported since NetBSD 6.0.
- pfs(8) is supported since NetBSD 6.0.
- altq(4) is supported since NetBSD 4.0.
- carp(4) is supported since NetBSD 4.0.
- The 'group' keyword does nothing, because NetBSD doesn't keep the GID in the uidinfo structure. This issue will probably be solved in a future release.
- Filtering on route labels is not working, NetBSD doesn't have labels for routes. It is unknown whether this will be supported in a future release or not.
- The initial configuration file pf.boot.conf(5) is a NetBSD specific file. OpenBSD loads the initial configuration for PF from /etc/rc which is a bit clumsy in case you need to change it. For this reason has NetBSD added a new file for the initial PF configuration.
- spamd was orginally imported into NetBSD, but it was removed before 3.0 was released. It is not considered to be part of PF and has been made available via pkgsrc (mail/spamd).
Miscellaneous links (top)
Manual pages (top)
- altq(4) - alternate queuing framework
- carp(4) - Common Address Redundancy Protocol
- pf(4) - packet filter
- pflog(4) - packet filter logging interface
- pfsync(4) - packet filter state table logging interface
- altq.conf(5) - ALTQ configuration file
- pf.boot.conf(5) - initial configuration for packet filter
- pf.conf(5) - packet filter configuration file
- pf.os(5) - format of the operating system fingerprints file
- altqd(8) - ALTQ daemon
- authpf(8) - authenticating gateway user shell
- ftp-proxy(8) - Internet File Transfer Protocol proxy server
- pfctl(8) - control the packet filter (PF) and network address translation (NAT) device
- pflogd(8) - packet filter logging daemon
- pfs(8) - save and restore information for NAT and state tables
Back to Networking documentation