Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Using iohyve to Control pf
#Idea notepad on how to control pf using iohyve for a NAT
#####THIS IDEA IS NO LONGER BEING IMPLEMENTED. KEEPING DOCUMENT FOR HISTORICAL PURPOSES. WE WILL ADD AN "IOHYVE + PF" WIKI ENTRY TO HELP ROLL YOUR OWN.
The goal, at least at first, is to have one
iohyve install on the hardcoded
bridge0 device. Guests not in the
NAT can still be added as a normal
tap to the "outside world." This feature is only to be used on systems where
pf is not already being used by the user. We will provide documentation for the power users to roll their own
iohyvewill have functions to automatically add guests to a
NATif specified at
iohyvewill have functions for the user to specify
port forwardingor adding a guest to a
tablesas a way to keep IPs in one place.
Use a dataset
/iohyve/NATto store information
Everyone should have a safe word.
iohyve pf panicwill basically run
pfctl -dto stop
pfin case things go south quick.
iohyvemanually (not at guest creation time), you can
iohyve pf commit confirm 5to automatically
REVERTchanges to the
NATif things go south. I sure hope I don't get sued by Juniper or something.
strongly recommend ifpw (over netmap) https://github.com/luigirizzo/netmap-ipfw and/or netmap-fwd https://github.com/Netgate/netmap-fwd in conjunction with VALE and the new netmap-backend virtio NIC https://github.com/freebsd/freebsd/commit/cac3f209134f9f95a431a8480d1275c640d86d7d#diff-f4318c2cf4a50c29e6990f3e8a8a5286 brief HOWTO: https://gist.github.com/gonzopancho/f58516e98f6c8a5a3013 (added by @gonzopancho)