Abstract
The BSD/OS IPFW packet filtering system is a well engineered, flexible kernel framework for filtering (accepting,
rejecting, logging, or modifying) IP packets. IPFW uses the well understood, widely available Berkeley Packet Filter
(BPF) system as the basis of its packet matching abilities, and extends BPF in several straightforward areas. Since the
first implementation of IPFW, the system has been enhanced several times to support additional functions, such as rate
filtering, network address translation (NAT), and traffic flow monitoring. This paper examines the motivation behind
IPFW and the design of the system. Comparisons with some contemporary packet filtering systems are provided.
Potential future enhancements for the IPFW system are discussed.
Packet filtering and packet capture have a long history A packet must be parsed to determine if it matches a
on computers running UNIX and UNIX-like operating given set of criteria. There are multiple ways of doing
systems. Some of the earliest work on packet capture this parsing, but a great deal of it amounts to looking
on UNIX was the CMU/Stanford Packet Filter [CSPF]. at a combination of bits at each network layer, before
Other early work in this area is the Sun NIT [NIT] device the examination of the next layer of the packet. There
interface. A more modern, completely programmable are multiple data structures designed for efficient repre-
interface for packet capture, the Berkeley Packet Filter sentation of the parsing rules needed to classify packets.
(BPF), was described by Steve McCanne and Van Ja- BPF uses a control flow graph (CFG) to represent the cri-
cobson [BPF]. BPF allows network traffic to be cap- teria used to parse a packet. The CFG is translated into
tured at a network interface, and the packets classified a BPF machine language program that efficiently prunes
and matched via a machine independent assembly pro- paths of the CFG that do not need to be examined during
gram that is interpreted inside the kernel. the parsing of a packet.
Ultimately, a standard BPF program decides whether
1.1 BPF: An Overview a packet is matched by the program. If a packet is
matched by the program, the program copies the spec-
BPF is extremely flexible, machine independent, rea-
ified amount of data into a buffer, for return to the user
sonably high speed, well understood, and widely avail-
program. Whether or not the packet was matched, the
able on UNIX operating systems. BPF is an interpreted,
packet continues on its normal path once the BPF pro-
portable machine language designed around a RISC-like
gram finishes parsing the packet.
LOAD/STORE instruction set architecture that can be
efficiently implemented on modern computers. BPF also has a limited facility for sending packets
out network interfaces. BPF programs using this fa-
BPF only taps network traffic in the network interface
cility must bind directly to a particular network inter-
driver. One important feature of BPF is that only pack-
face, which requires that the program know what inter-
ets that are matched by the BPF program are copied into
faces exist on the computer. This allows for sending any
a new buffer for copying into user space. No copy of
type of network packets directly out an interface, with-
the packet data needs to be made just to run the BPF
out regard to the kernel’s routing table. This is how the
program. BPF also allows the program to only copy
rarpd and dhcpd daemons work on many types of
enough of a packet to satisfy its needs without wasting
UNIX computers.
time copying unneeded data. For example, 134 bytes is
sufficient to capture the complete Ethernet, IP, and TCP BPF, as originally described, does not have a facil-
headers, so a program interested only in TCP statistics
ity for rejecting packets that have been received. BPF, capabilities would allow for a single BSD/OS computer
although described as a filter, can match packets, copy acting as a router to protect any other computers behind
them into other memory, and send packets, but it cannot the filter.
drop or reject them.
3 Need for Flexibility
2 Motivation An early design decision for IPFW was that the sys-
tem should present as flexible a matching and filtering
The need for a powerful and flexible packet matching framework as possible. As few filtering rules as possi-
and filtering language had been evident for a long time. ble should be directly embedded in the kernel. As much
The basic ideas for the BSD/OS IPFW system were the as possible, filtering configuration and policy should be
result of several years of thought about what features and installed into the kernel at runtime, rather than compiled
functions a packet filtering system must provide. Having into the system. This decision has reaped many bene-
highly flexible packet filtering for an end system would fits during the lifetime of this system. Because IPFW
be mandatory, and that same filtering system should be is extremely flexible, it has been applied to many prob-
applicable for filtering traffic that was being forwarded lems that were not in mind at the time it was designed.
through a computer. To borrow Robert Scheifler’s quote about the X Window
The immediate need for a flexible packet filtering System Protocol, IPFW is “intended to provide mecha-
framework came from a desire to run an IRC client in nism, not policy.” [RFC1013]
a rigidly controlled environment. This environment con-
sisted of a daemon that could be run in a chroot’d direc- 4 Other Packet Filters
tory structure, as well as a highly restrictive set of packet
As was noted earlier, there were several other packet
filters. These filters could not just prevent unwanted
filtering technologies when IPFW was first envisioned.
inbound packets, but perhaps more importantly, could
In the years since, other filtering technologies have been
also discard unwanted outbound packets. The BSD/OS
developed, some specific to a particular operating sys-
IPFW system was thus originally intended to filter both
tem and others available on a variety of platforms. A
the inbound and outbound traffic for a particular host.
comparative analysis with these other packet filters al-
Many of the most popular contemporary packet fil- lows one to more fully appreciate the flexibility of IPFW.
tering systems of the initial design era (circa 1995)
One of the most important differences between IPFW
were incapable of filtering packets destined for the lo-
and these other filtering systems is that IPFW actually
cal computer or originating from the local computer.
downloads complete programs to be evaluated against
The available filtering systems concentrated on filtering
the packets. The other filtering systems are all rules-
traffic that was being forwarded through the computer.
based. By evaluating an arbitrary program, an entirely
Other major problems with the existing packet filter-
new methodology of packet filtering can be installed
ing systems were the inability to do significant stateful
without rebooting the system. In a rules based system,
packet forwarding and unacceptably low performance
any new type of rules requires code changes to the fil-
[screend]. screend does keep track of IP fragments,
tering system, as well as a reboot to make it active. Dy-
which is a limited form of stateful packet filtering.
namic loadable kernel modules can approximate the pro-
Further motivation for a flexible packet filtering sys- gram download facility as modules could be replaced
tem was the lack of any other standard packet filtering with new filtering rule capabilities without requiring a
in the stock BSD/OS system of that era. There was system reboot.
customer demand for a bundled packet filtering system,
which was not fully met by the other widely available 4.1 Darren Reed’s ipfilter
packet filtering systems [ipfilter]. screend, the most
The ipfilter package is available on many versions of
widely available contemporary packet filtering system,
many UNIX-like operating systems, from BSD/OS to
provided many good lessons in packet filtering technol-
older systems such as IRIX to small-footprint systems
ogy. The BSD/OS IPFW system was designed with the
like QNX to frequently updated systems like FreeBSD.
lessons learned from screend in mind.
It supports packet filtering, provides a Network Ad-
A consideration for the implementation of a new, dress Translation (NAT) implementation, and can per-
flexible packet filtering framework was the realization form stateful packet filtering via an internal state table.
that as the Internet grew, the number of attacks from Like the other examined packet filters, ipfilter is a rules
other locations on the Internet would also grow. Hav- based system. It can log packet contents to the pseudo-
ing a powerful matching language tied to the filtering device “ipl.” [ipfilter] [ipfilterhowto]
4.2 FreeBSD’s ipfirewall System it does not have an established track record, and is still
undergoing change. [OpenBSD]
FreeBSD provides a packet filtering interface, known
as ipfirewall. This system is often referred to as ipfw, 4.6 TIS Firewall Toolkit
which is the name of the management command. This
is a rules based packet filtering mechanism, which is The TIS Firewall Toolkit (fwtk) and other proxy fire-
manipulated internally by socket options. There is an walls not only examine the source and destination of
additional kernel option (IPDIVERT) to add kernel di- packets, but also the protocol being sent. New applica-
vert sockets, which can intercept all traffic destined for tion proxies that understand the protocol must be written
a particular port, regardless of the destination IP address for each new type of service. While this approach does
inside the packet. The divert socket can intercept either allow for additional levels of security as the proxy can
incoming or outgoing packets. Incoming packets can be watch for attack methods that exploit a particular proto-
diverted after reception on an interface or before next- col, it requires a much deeper understanding of each new
hop routing. [FreeBSD] protocol before filtering that type of traffic. [fwtk]
4.4 Linux 2.4: iptables 5.2 Download Filter Programs into Kernel
The Linux iptables implementation (sometimes re- The concept of downloading filters into the kernel
ferred to as “netfilter”) is a complete rewrite and exten- was not a novel idea. The IPFW author was familiar
sion of the ipchains filtering system. Substantial cleanup with a few obscure packet filter technologies that had
and fixing of multiple idiosyncrasies in handling how the filter coded directly into the network stack. While
packets destined for the local computer are processed highly inflexible in operation, this type of filter system
have been made. Support for stateful packet filtering has did make an attacker work harder when attempting to
also been added to the system. The command line syn- subvert or weaken an installed filter. The marginal se-
tax for specifying packet headers for each rule has been curity benefit of a filter compiled into the kernel was
changed since the ipchains release. A QUEUE disposi- dwarfed by the numerous advantages of a downloadable
tion for a packet has been added, which specifies that packet filter. Early versions of IPFW had the ability
the packet will be transferred to a user process for addi- to both password protect filters as well as make down-
tional processing, using an experimental kernel module, loaded filters immutable. Both of these features were
ip queue. [iptables] eventually dropped as the additional security provided
only came into effect once the computer running the
4.5 OpenBSD’s “pf” System filter was compromised. Once the computer has been
compromised to that extent, the added security was not
OpenBSD 3.0 includes pf, a packet filter pseudo- considered to be valuable enough to warrant the costs of
device. As a rules-based filter, users are restricted to maintaining the implementation.
the available set of rules included with pf. Manipu-
lation of the pf pseudo-device is managed through the 5.3 IPFW Kernel Socket
pfctl command. Internally, the system is controlled
by ioctl calls to the pf device. Rules can be applied Prudent reuse of kernel facilities is always a goal
on an in or out basis, and can be tied to a specific in- when designing a new subsystem for the UNIX kernel.
terface as well. As a very new packet filtering mecha- The BSD/OS IPFW system needed a method for trans-
nism (it was written from scratch, starting in June 2001) mitting data about packets and filter programs from the
kernel to programs running in userspace. In some other Location Modify? Default Action
historic packet filters, this would have been done via pre-input yes accept
the ioctl system call, which requires some artificial input no reject
file to open. Adding a new system call for this purpose forward yes reject
might be justified, but every new system call is generally pre-output yes accept
viewed with suspicion. output no reject
Instead of adding a new system call, a new instantia- Table 1: IPFW Filtering Locations
tion of a kernel socket was made. A new pseudo-IP pro-
tocol was defined, which is accessed via a raw internet
domain socket. Because sockets were defined to provide
an efficient mechanism of moving streams or packets of filtering location has an associated default action. When
data to and from the kernel, they are appropriate for the a filtering location has at least one filter installed, if no
task of moving data about packet filtering to a user ap- explicit disposition for a packet is provided by the filter,
plication. In the case of the IPFW socket, the data is the default action will be applied to the packet. The pas-
always generated by the kernel. sage of packets through the various filtering locations is
described in detail in Section 6 of this paper.
The raw IPFW socket provides important function-
ality in a standard interface with which programmers 5.5 Stackable Filters
are familiar. The socket interface also provides for zero
(or many) readers of the data. An IPFW filter can send Each filtering point in the kernel is actually the attach-
packets or data about packets it has matched back to a ment point for a stack of filter programs. Filter programs
userspace program, regardless of the final disposition of can easily be pushed onto the stack, popped off the stack,
the packet. The userspace program may then log the or inserted into the middle of the stack for each filtering
packet, or it might further process a rejected packet, in- point. Individual filters each have a priority (a signed 32
cluding re-insertion of a possibly modified packet back bit number) that determines where the in the stack the
into the network via a raw IP socket. filter is actually placed. Multiple filters installed at the
High precision timestamps, in the form of a time- same priority, at the same filtering location, operate as a
spec structure, are available on packets read from the traditional stack.
kernel socket, if the user has requested them. This times- Filters may also have a symbolic tag to aid in their
tamp is added during the logging operation, so the user identification, replacement, or deletion.
application does not have to worry about getting an accu-
rate timestamp when it reads the packets from the socket. 5.6 Flexibility of Actions
IPFW uses the sysctl system call to pass informa-
After classifying a packet according to whatever rules
tion about filter programs back and forth between the
are in place, a packet filtering system has to perform an
kernel and userspace programs. sysctl is used to copy
operation on the packet. A simple packet filtering sys-
the filter programs into the kernel as they are installed.
tem has just two operations, “accept” and “reject.” The
It is also used for gathering statistics about the IPFW fil-
BSD/OS IPFW system has three additional operations.
ters installed on the computer. The sysctl interface is
The log action takes a specified amount of the packet
another example of a flexible programming paradigm. It
and copies it to the IPFW kernel socket. The call ac-
provided a natural expression of hierarchy that was eas-
tion allows the current packet to be passed to a different
ily expandable, did not require artificial files to open and
named filter for further processing. The next action
reused an existing kernel interface.
calls the next filter in the stack of filters installed at the
current filter location. In addition, the BSD/OS IPFW
5.4 Multiple Filtering Points
system allows packets to be modified explicitly by the
One of the unique features of the BSD/OS IPFW sys- filter program, or as the consequence of calling another
tem at the time it was designed was the inclusion of mul- filter program. The classic “accept” and “reject” actions
tiple filtering points in the kernel. The original BPF sys- have been extended so they can also optionally log the
tem only allowed for tapping of packet traffic at each packet to the kernel socket.
physical interface. The BSD/OS IPFW system provides
five logical points where filters may be installed in the 5.7 Filter Pool
kernel.
In addition to the explicit filtering points in the kernel
Table 1 lists each filtering location in the kernel. Each a pool of filter programs can be installed into the ker-
nel, not associated with a particular filtering point. This Network
allows common filter programs to be installed into the Interface
filter pool and then be referenced from any of the other
filters installed in the running system. Currently only incoming packet outgoing packet
BPF based filters have the ability to call a filter from the
pool. The filter called may delete the packet or return a IPFW
value associated with the packet. Typically this value is pre-input output
rience means that some filters are inefficient and others In order to change the filter, one would have to re-
do not take full advantage of IPFW features. A graphical compile the kernel and reboot the computer with the new
user interface could address these issues. kernel.