Re: per-interface packet filters, design approach
From: Gleb Smirnoff (glebius_at_freebsd.org)
Date: 12/15/04
- Previous message: Gleb Smirnoff: "Re: per-interface packet filters"
- In reply to: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Next in thread: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Reply: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 15 Dec 2004 15:10:33 +0300 To: Andre Oppermann <andre@freebsd.org>
On Wed, Dec 15, 2004 at 12:04:12PM +0100, Andre Oppermann wrote:
A> > On Tue, Dec 14, 2004 at 03:03:27PM +0100, Andre Oppermann wrote:
A> > A> d1. The PFIL_HOOKS API has one hook per direction per protocol and
A> > A> passes the interface information to the firewall package.
A> > A> d2. Should the PFIL_HOOKS API be changed and be per interface instead
A> > A> of per protocol? All firewall packages need to be modified and
A> > A> we are no longer compatible with the PFIL_HOOKS API.
A> >
A> > s/API/usage/g
A>
A> See my previous mail why your proposal is broken by design.
Probably many routers are broken by design, too?
A> > Andre, you are the person, who is optimizing our IP stack. Can you ask
A> > this question, please: if the interface has no filters associated with it,
A> > why the hell the packets running on it would enter firewall functions?
A>
A> Listen Gleb, first and formost I'm cleaning up network stack from years
A> of bolt-on hackery to make it maintainable and easily understandable and
A> extendable again.
<dirty flame>
But 4.x is more STABLE than 5.x, while it has rotten design, isn't it?
Moreover some things stopped working because of better design! Now we have
kern/71910, kern/73129, kern/73910, plus dozens of people who do not write
PR because they see these three. But we have better design.
</dirty flame>
A> If there is a trade-off to be made between a few CPU cycles wasted with a
A> clean and structured design versus some hackery pseudo-optimization I'm
A> going to do the former. This is always the more viable choice.
A> When looking at the BSD history one thing stands out: Wherever we had a
A> very clean, concise and documented API (for example protocol independent
A> sockets) things started to fly. In the network area we have the protosw
A> structure and API which allows to add any type of network protocol very
A> easily into the kernel. This has allowed BSD to support many different
A> network protocols. Most recently IPv6. The price to pay for the small
A> indirection protosw has is nothing compared to the adavantages of a good
A> and clean API design.
A>
A> History tells us that sticking to certain design principals pays off very
A> well and is worth some amount of performance tradeoffs. Feel free to ask
A> Kirk McKusick on this lession of history.
Good. I'm trying to convince you that design of attaching filters to interfaces
is not mad, and we should choose it, stick to it, and be happy.
Protocol level packet filters are excellent for hosts, but not for routers.
You ain't say that we are building not a router platform. We are building
a multipurpose platform, that's why I suggest protocol level and per-interface
filters coexist.
-- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Gleb Smirnoff: "Re: per-interface packet filters"
- In reply to: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Next in thread: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Reply: Andre Oppermann: "Re: per-interface packet filters, design approach"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
