Date: Tue, 14 Dec 2004 15:21:39 +0100 From: Max Laier <max@love2party.net> To: Luigi Rizzo <rizzo@icir.org> Cc: Andre Oppermann <andre@freebsd.org> Subject: Re: per-interface packet filters [summary] Message-ID: <200412141521.53098.max@love2party.net> In-Reply-To: <20041214060341.A77720@xorpc.icir.org> References: <20041213124051.GB32719@cell.sick.ru> <41BEE0E7.BD2316EB@freebsd.org> <20041214060341.A77720@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1666851.cVdm6rTj8D Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 14 December 2004 15:03, Luigi Rizzo wrote: > On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote: > ... > > > > Implementationwise, the kernel side is evidently trivial as the > > > original code already supports the idea of multiple chains. All > > > you need is to extend the struct ifnet with a pointer to the chain, > > > or use some other trick (e.g. going through ifindex) to quickly > > > associate a chain to the input (and possibly output) interface. > > > > Nonononononononononononononononononononononono. > > andre you need to cool down a bit! We should all. > i said "use some other trick" exactly to avoid changing > the struct ifnet. All i meant to say is that we want a unique > key, possibly in a small namespace, to quickly locate the per-if > private firewall info. How the key is used is not a business of > the rest of the kernel. But of course if it is an index in a > smallish array (such as ifindex) the thing is fast and clean. Well spoken! Let's just *not* go linux here and have a "hook" on every laye= r=20 over and over and over again [1] ... because that certainly does *not* help= =20 performance. There is always room for optimization *within* the filter. Messing struct=20 ifnet or other parts of the kernel with firewall information is not the way= =20 to go. [1] http://fxr.watson.org/fxr/ident?v=3Dlinux-2.6.9;i=3DNF_HOOK =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1666851.cVdm6rTj8D Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBvvcBXyyEoT62BG0RAj7NAJ46GAsDsRkbmWiTq3C0S6Rzb6/8eQCeOJuD eQnnLVucs7PdH9kRnQDNfzI= =JOop -----END PGP SIGNATURE----- --nextPart1666851.cVdm6rTj8D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412141521.53098.max>