:2011/1/21 Sepherosa Ziehau <sepherosa@gmail.com>: :> Hi all, :Hi sephe :> :> ipfilter is not maintained in dragonfly at all, I plan to remove it. : :Just a word about it. Currently we (a french hoster http://www.nfrance.com) use :DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines) :with quagga and ipf. And its work really well (better than FreeBSD we were :previously using). : :Our requirement for routing machines is to be able to gracefuly handle :200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing :(full table). Crash test is at 400mb/s in lab. : :We choose ipf for historical reasons (previously used on FreeBSD). But :we experienced on FreeBSD that it's really faster than pf. : :Do you think there is currently an other software (maybe ipfw) that can :filter 200/300 mb/s load ? PF in master should be able to do it but of course it is quite experimental. I would worry about the state tables possibly getting blown out. Currently the PF in master is not handling the tcp sequence space properly and /etc/pf.conf must contain global options as follows to run reliably: set keep-policy keep state (pickups, sloppy) PF in 2.6 should work well and not require 'sloppy' (it might not even support 'sloppy'). If you could possibly switch to PF that would be the best thing to do. Having three different packet filters in DragonFly is just too many and IPF is the least-used of the three. IPSEC is another matter. Any breakage there should be fairly easy to fix if we can get someone to mess with it. I can mess with it myself sometime mid-February. -Matt Matthew Dillon <dillon@backplane.com>