From owner-freebsd-ipfw@FreeBSD.ORG  Fri Oct 19 12:02:53 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 97DACA87
 for <ipfw@freebsd.org>; Fri, 19 Oct 2012 12:02:53 +0000 (UTC)
 (envelope-from oppermann@networx.ch)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
 by mx1.freebsd.org (Postfix) with ESMTP id E96138FC0A
 for <ipfw@freebsd.org>; Fri, 19 Oct 2012 12:02:52 +0000 (UTC)
Received: (qmail 35284 invoked from network); 19 Oct 2012 13:41:36 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
 (envelope-sender <oppermann@networx.ch>)
 by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
 for <ae@FreeBSD.org>; 19 Oct 2012 13:41:36 -0000
Message-ID: <50814166.1000602@networx.ch>
Date: Fri, 19 Oct 2012 14:02:46 +0200
From: Andre Oppermann <oppermann@networx.ch>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:16.0) Gecko/20121010 Thunderbird/16.0.1
MIME-Version: 1.0
To: "Andrey V. Elsukov" <ae@FreeBSD.org>
Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time
References: <508138A4.5030901@FreeBSD.org>
In-Reply-To: <508138A4.5030901@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: ipfw@freebsd.org, net@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 12:02:53 -0000

On 19.10.2012 13:25, Andrey V. Elsukov wrote:
> Hi All,
>
> Many years ago i have already proposed this feature, but at that time
> several people were against, because as they said, it could affect
> performance. Now, when we have high speed network adapters, SMP kernel
> and network stack, several locks acquired in the path of each packet,
> and i have an ability to test this in the lab.
>
> So, i prepared the patch, that removes IPFIREWALL_FORWARD option from
> the kernel and makes this functionality always build-in, but it is
> turned off by default and can be enabled via the sysctl(8) variable
> net.pfil.forward=1.
>
> 	http://people.freebsd.org/~ae/pfil_forward.diff
>
> Also we have done some tests with the ixia traffic generator connected
> via 10G network adapter. Tests have show that there is no visible
> difference, and there is no visible performance degradation.
>
> Any objections?

No objection as such.  However I don't entirely agree with the
naming of pfil_forward.  The functionality is specific to IPFW
and TCP, it's doing transparent interjected termination of tcp
connections on the local host while keeping the original IP
addresses and port numbers visible in netstat output.

So it's a feature of IPFW/IP and should be fitted in there for
sysctl name and .h files instead of pfil.

-- 
Andre