From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 2 10:13:38 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C98B106566B; Mon, 2 Jul 2012 10:13:38 +0000 (UTC) (envelope-from alter@alter.org.ua) Received: from homecat.alter.org.ua (homecat.alter.org.ua [IPv6:2a01:d0:0:1c::34]) by mx1.freebsd.org (Postfix) with ESMTP id D02E68FC08; Mon, 2 Jul 2012 10:13:37 +0000 (UTC) Received: from stealth.netassist.ua (stealth.netassist.ua [195.214.211.142]) by homecat.alter.org.ua (8.14.3/8.14.3) with ESMTP id q62ADJtS082854; Mon, 2 Jul 2012 13:13:19 +0300 (EEST) (envelope-from alter@alter.org.ua) Date: Mon, 2 Jul 2012 13:24:09 +0200 From: Alter Organization: AlterWare X-Priority: 3 (Normal) Message-ID: <602292882.20120702132409@alter.org.ua> To: Luigi Rizzo In-Reply-To: <20120701190921.GA63663@onelab2.iet.unipi.it> References: <201207011554.q61FsZ6A039188@freefall.freebsd.org> <20120701190921.GA63663@onelab2.iet.unipi.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, SUBJ_RE_NUM autolearn=no version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on homecat.alter.org.ua Cc: freebsd-ipfw@freebsd.org, melifaro@freebsd.org, bug-followup@freebsd.org Subject: Re[2]: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alter List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2012 10:13:38 -0000 Hello Luigi, Seems, Alex answered most of you questions LR> On the negative side: LR> - documentation on new features is completely absent. Just a brief mention LR> in the manpage of ftag/funtag, a short comment in a C source code. # Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet. All ftags are stored in single memory block as bitmap. Are faster than usual tags, those allocate separate memory block for each tag. # Local ipfw tagging (ltag) - you can assign up to 32 ltags on packet. Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent to another interface, diverted or passed through pipe). The benefit is performance - ltag does not require memory allocation at all. (from http://alter.org.ua/soft/fbsd/ipfw/) LR> - a large number of changes to the userspace code replaces errx() LR> with return my_err(...) . I might agree on the principle, but LR> I'd like to see a few notes on why this change is required, LR> and whether it can be applied independently of the others. This change is required to let -q work properly in all cases. Because of inclompete error handling ipfw may eventually exit when processing incorrect rule regardless of -q option. Such behavior seems to be dangerous, especially when dealing to remote servers and auto-generated rulesets. E.g. ruleset may become invalid because of removal of some interface from system. Also, incorrect update of external config file (used for ruleset generation) may lead system to inacessible state. my_err() either calls errx() (without -q) or returns proper error code for handling in callee (with -q) -- Best regards, Alter mailto:alter@alter.org.ua