Using iohyve to Control pf

#Idea notepad on how to control pf using iohyve for a NAT

#####THIS IDEA IS NO LONGER BEING IMPLEMENTED. KEEPING DOCUMENT FOR HISTORICAL PURPOSES. WE WILL ADD AN "IOHYVE + PF" WIKI ENTRY TO HELP ROLL YOUR OWN.

The goal, at least at first, is to have one NAT per iohyve install on the hardcoded bridge0 device. Guests not in the NAT can still be added as a normal tap to the "outside world." This feature is only to be used on systems where pf is not already being used by the user. We will provide documentation for the power users to roll their own /etc/rc.conf and /etc/pf.conf files.

• iohyve will have functions to automatically add guests to a NAT if specified at creation time.

• iohyve will have functions for the user to specify port forwarding or adding a guest to a NAT.

• Use tables as a way to keep IPs in one place.

• Use a dataset /iohyve/NAT to store information

• Everyone should have a safe word. iohyve pf panic will basically run pfctl -d to stop pf in case things go south quick.

• When changing pf properties using iohyve manually (not at guest creation time), you can iohyve pf commit confirm 5 to automatically REVERT changes to the NAT if things go south. I sure hope I don't get sued by Juniper or something.

• strongly recommend ifpw (over netmap) https://github.com/luigirizzo/netmap-ipfw and/or netmap-fwd https://github.com/Netgate/netmap-fwd in conjunction with VALE and the new netmap-backend virtio NIC https://github.com/freebsd/freebsd/commit/cac3f209134f9f95a431a8480d1275c640d86d7d#diff-f4318c2cf4a50c29e6990f3e8a8a5286 brief HOWTO: https://gist.github.com/gonzopancho/f58516e98f6c8a5a3013 (added by @gonzopancho)