NPF: NetBSD’s new packet filter

The NetBSD Foundation announced NPF, a new packet filter designed for high performance on multiprocessor machines, and for easy extensibility.

Highlights of NPF features include:

• MP-safety and locklessness for scalable MP performance: no longer is the packet filter the bottleneck in your multicore router
• Fast hash-table and red-black tree lookups
• Stateful packet filtering, Network Address Port Translation (NAPT), and Application-Level Gateways (ALGs) for, e.g., traceroute
• The N-Code processor, a packet-inspection engine inspired by BPF: the N-Code processor is programmed to match packets using generic, RISC-like instructions and a few CISC-like instructions for common patterns such as IPv4 addresses
• Familiar configuration syntax and utilities
• Modularity and extensibility: users extend NPF by loading a kernel module. NPF provides developers with an extensions API. NPF rules can embed a hook that invokes an extension.

By the end of January, NPF should have all of the capabilities that NetBSD users have come to expect by using the other filters in the kernel:

• IPv4 reassembly support
• Bi-directional NAT and port forwarding (re-direction)
• FTP proxy support
• IP header flags cleansing
• ICMP packets and TCP RST packet blocking
• Save/restore state
• Packet logging, configurable using filter rules.

NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF is unique for using a bytecode interpreter in its packet-inspection engine, and for answering the question, “What does a packet filter designed from the bottom up for multiprocessor systems look like?”