gofilter is a string filter for PF on OpenBSD using divert(4).
- Filters packets based on strings
- No noticeable degradation of latency
- 30% of the original bandwidth available
Important
gofilter is pre-alpha software.
Usage of gofilter:
-f string
strings to filter, comma separated
-p int
divert socket listening port (default 700)
gofilter makes use of the kernel packet diversion mechanism divert(4).
Therefore, PF has to be configured accordingly. For example to filter inbound
DNS traffic:
pass in proto udp to any port 53 divert-packet port 700
Caution
TCP segmentation offload will need to be disabled for the filter to not choke on large TCP packets:
sysctl net.inet.tcp.tso=0
Caution
IPv6 is currently broken at all.
gofilterreduces the available bandwidth down to 30%gofilterworsens the reliability of the traffic, as the standard deviation of the available bandwidth is very high
# Without gofilter
bandwidth min/avg/max/std-dev = 927.681/934.177/935.895/2.475 Mbps
# gofilter, without filter
bandwidth min/avg/max/std-dev = 0.023/310.585/925.562/293.994 Mbps
# gofilter, 1 filter
bandwidth min/avg/max/std-dev = 0.000/308.867/935.003/282.638 Mbps
# gofilter, 2 filter
bandwidth min/avg/max/std-dev = 0.023/313.504/916.121/261.767 Mbps
# gofilter, 10 filter
bandwidth min/avg/max/std-dev = 0.092/315.832/910.908/264.350 Mbps
The package may be used under the terms of the ISC License a copy of which may be found in the file LICENSE.
Unless you explicitly state otherwise, any contribution submitted for inclusion in the work by you shall be licensed as above, without any additional terms or conditions.