From owner-freebsd-net@FreeBSD.ORG Mon Sep 19 15:11:46 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E13B416A420 for ; Mon, 19 Sep 2005 15:11:46 +0000 (GMT) (envelope-from brett@lariat.org) Received: from lariat.org (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0698A43D4C for ; Mon, 19 Sep 2005 15:11:45 +0000 (GMT) (envelope-from brett@lariat.org) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA04249; Mon, 19 Sep 2005 09:11:36 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.3.4.2.20050919085600.07f783f0@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Mon, 19 Sep 2005 09:11:33 -0600 To: Luigi Rizzo From: Brett Glass In-Reply-To: <20050919005932.B60737@xorpc.icir.org> References: <6.2.3.4.2.20050918205708.08cff430@localhost> <20050918235659.B60185@xorpc.icir.org> <6.2.3.4.2.20050919010035.07dfc448@localhost> <20050919005932.B60737@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: net@freebsd.org Subject: Re: Efficient use of Dummynet pipes in IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 15:11:47 -0000 At 01:59 AM 9/19/2005, Luigi Rizzo wrote: >Same for as the 'resume' option. It might be nice to have, >however but there is already a two-rule version (the one i >suggested, follow the non-terminating action with a skipto rule) >so its absence is not blocking you from doing what you want. That option requires repeating ALL of the matching on the packet. Not efficient, especially if the rule is complex. And pipes are usually used in pairs, so the inefficiency is doubled. >in terms of implementation, if you want to add it, the best place >would be to add the 'skipto' fields to each 'action' opcode. >I am not very interested in implementing it, though, because i still see >ipfw as a low-level language. I don't see it that way, because low level languages like assembler are normally very efficient and highly granular. The underlying opcode language of IPFW is low level for sure. But I would classify IPFW's "language," as presented by the userland utility, as "high level but limited." Sort of like the MS-DOS shell. >> I've looked at the source and it's fragmented and virtually undocumented, > >are you talking about the userland part or the kernel code ? Both. There are some parts that are better than others; for example, the kernel part is more straightforward than the userland part and has more comments. Yes, I know: some coders (the NetBSD folks are notorious for this) seem to think that if you don't want to read (and mentally reverse- engineer) all of the C code, you shouldn't be touching it. But this leads to bugs, because even a good coder won't know about "contracts" involving code in other places. >i agree the userland part is a mess. >But the kernel code i believe is reasonably documented >(of course it could be documented better - patches welcome). >the first 250 or so lines in ip_fw2.h are almost all comments >describing the opcode formats. >ip_fw2.c tries to describe rule parsing in the body of ipfw_chk() Yep, I see that. But there are implicit contracts with the userland side.... Some are obvious but some seem to be subtle. --Brett Glass