Date: Mon, 5 Apr 1999 02:49:43 -0400 (EDT) From: Brian Feldman <green@unixhelp.org> To: Julian Elischer <julian@whistle.com> Cc: Peter Wemm <peter@netplex.com.au>, "Matthew N. Dodd" <winter@jurai.net>, hackers@FreeBSD.ORG Subject: Re: ipfw uid Message-ID: <Pine.BSF.4.05.9904050248080.31634-100000@janus.syracuse.net> In-Reply-To: <Pine.BSF.4.05.9904042321150.282-100000@s204m82.isp.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 4 Apr 1999, Julian Elischer wrote:
> On Mon, 5 Apr 1999, Peter Wemm wrote:
>
> > At one point I was toying with the idea of trying to do something like this
> > kind of counting at the socket level, rather than at the packet stream
> > level. Sure, it would have lost the packet overheads, but it should be
> > easier..
> >
> > Cheers,
> > -Peter
>
> One reason to do it at the socket level is that UID accounting can only
> work on the local level anyway. Doing it at the lower levels uses
> resources for all traffic local or not.. You also get charged for all
> retries etc which may, or may not, be fair depending on your point of
> view.
But this is about so much more than accounting. Say, I could prevent
certain users from certain IPs with certain ports, certain protocols, etc.
This is flexibility in a REAL firewall, not just some little IP accounting
thing. Besides, I'm finished with it!
>
> Also doing it at socket layer allows you to not incur any work in the case
> of excempt processes. Whether a process should or should not be charged
> can be cached in the socket structure rather than being worked out on the
> fly each time.
>
> I don't think the ipfw interface is the right place for this.
>
> ipfw is acting as a cancerous growth. Speaking as one of the culprits,
> I think it's possibly time to think about the careful cleaning of hte
> FreeBSD stacks. Garret has som good work in the wings re: the tcp timers,
> but there are a number of really messy parts.
>
> e.g.
> rtentries refer directly to interfaces in a number of places where they
> should refer to the ifaddrs. reference counting between ifaddrs and ifnets
> and rtentries is pretty much broken, and only works by 'good will'.
> The ability to invalidate addresses and interfaces is held together by
> chewing gum. Recovery of old rtentries is in great need of cleaning up.
>
>
> julian
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
Brian Feldman _ __ ___ ____ ___ ___ ___
green@unixhelp.org _ __ ___ | _ ) __| \
FreeBSD: The Power to Serve! _ __ | _ \__ \ |) |
http://www.freebsd.org _ |___/___/___/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9904050248080.31634-100000>