Summer of Code results: A tool to dump and restore pf(4) state
Overview
This summer I mentored Arnaud Degroote's Summer of Code project 'A tool to dump/restore the pf state table'.
Goals
Pf is a powerful packet filter system with a large number of features, but it misses the capability to dump the contents of its internal state to a file so that it can be restored it after a reboot maintaining existing connections. The suggested solution from the OpenBSD project is to use pfsync(4), to synchronise two instances of pf, but this solution requires another machine. The first goal of the project was to implement a tool similar to ipfs(8) for for ipf(4) that works with pf(4).
Results
At mid-term, Arnaud had a working pfs tool which is able to dump / restore the internal state table of pf, using a binary format to store the information. After that, he improved the tool to dump / restore the state table in an ASCII format. Having an ASCII format allows one to do easily some transformation on the state table, using the standard unix tools, without the need to implement ad-hoc options in pfs tool (such as ipfs -i if1,if2).
In the second part of the SoC, Arnaud imported pfsync(4) from OpenBSD (the version from OpenBSD 4_2 + a few more patches), and updated the different network userland tools to work with it. This part of the work was merged in the NetBSD tree on September 14th.
In the last few weeks, Arnaud has been looking into integrating a more recent version of pf(4) in NetBSD, but little work has been done yet. He hopes to continue to work on it, but does not have a lot of spare time these days.
pfs(8) is usable currently, but it is not yet integrated in the NetBSD tree. It can be found on my GSoC page, if you want to play with it (http://netbsd-soc.sourceforge.net/projects/pfstate/). Arnaud tells me he would like to integrate it with pf 4_5 (or 4_6 now), then to update the pfs tool to understand the new pfsync_state structure before asking for a public review / integration in NetBSD (and in a perfect world in OpenBSD).
[0 comments]