From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 14:21:12 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EE8516A4CE; Tue, 14 Dec 2004 14:21:12 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 633D943D1D; Tue, 14 Dec 2004 14:21:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CeDXv-0003za-00; Tue, 14 Dec 2004 15:20:59 +0100 Received: from [217.227.149.15] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CeDXv-0005zQ-00; Tue, 14 Dec 2004 15:20:59 +0100 From: Max Laier To: Luigi Rizzo Date: Tue, 14 Dec 2004 15:21:39 +0100 User-Agent: KMail/1.7.1 References: <20041213124051.GB32719@cell.sick.ru> <41BEE0E7.BD2316EB@freebsd.org> <20041214060341.A77720@xorpc.icir.org> In-Reply-To: <20041214060341.A77720@xorpc.icir.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1666851.cVdm6rTj8D"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412141521.53098.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-net@freebsd.org cc: Andre Oppermann Subject: Re: per-interface packet filters [summary] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 14:21:12 -0000 --nextPart1666851.cVdm6rTj8D Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 14 December 2004 15:03, Luigi Rizzo wrote: > On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote: > ... > > > > Implementationwise, the kernel side is evidently trivial as the > > > original code already supports the idea of multiple chains. All > > > you need is to extend the struct ifnet with a pointer to the chain, > > > or use some other trick (e.g. going through ifindex) to quickly > > > associate a chain to the input (and possibly output) interface. > > > > Nonononononononononononononononononononononono. > > andre you need to cool down a bit! We should all. > i said "use some other trick" exactly to avoid changing > the struct ifnet. All i meant to say is that we want a unique > key, possibly in a small namespace, to quickly locate the per-if > private firewall info. How the key is used is not a business of > the rest of the kernel. But of course if it is an index in a > smallish array (such as ifindex) the thing is fast and clean. Well spoken! Let's just *not* go linux here and have a "hook" on every laye= r=20 over and over and over again [1] ... because that certainly does *not* help= =20 performance. There is always room for optimization *within* the filter. Messing struct=20 ifnet or other parts of the kernel with firewall information is not the way= =20 to go. [1] http://fxr.watson.org/fxr/ident?v=3Dlinux-2.6.9;i=3DNF_HOOK =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1666851.cVdm6rTj8D Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBvvcBXyyEoT62BG0RAj7NAJ46GAsDsRkbmWiTq3C0S6Rzb6/8eQCeOJuD eQnnLVucs7PdH9kRnQDNfzI= =JOop -----END PGP SIGNATURE----- --nextPart1666851.cVdm6rTj8D--