Date: Tue, 17 Mar 2015 02:15:08 +0100 From: Kristof Provost <kristof@sigsegv.be> To: Eric van Gyzen <vangyzen@FreeBSD.org> Cc: freebsd-net@freebsd.org, bz@FreeBSD.org, ae@FreeBSD.org, freebsd-pf@freebsd.org Subject: Re: PF IPv6 fragments handling Message-ID: <20150317011507.GC2036@vega.codepro.be> In-Reply-To: <5506DFFB.7050302@FreeBSD.org> References: <20150203202519.GD2167@vega.codepro.be> <20150209232416.GB37777@vega.codepro.be> <20150314020500.GW1975@vega.codepro.be> <5506DFFB.7050302@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-03-16 09:51:55 (-0400), Eric van Gyzen <vangyzen@FreeBSD.org> wrote: > Here is a brainstorm that might give the best of both: Return the > reassembled packet from PFIL_IN, but with the original fragment chain > stashed in metadata. Most of the stack operates on the single, > reassembled packet. ip6_output() sends the original fragment chain. > Sure, it uses more memory, but reduced CPU time might be worth it. > It's an interesting idea. There are a number of advantages (like not modifying the fragment ID or the sizes of each packet). It won't reduce CPU usage though because we'd have to copy the packet which is something we don't do at the moment. In addition to that there's the concern you pointed out that we'd forget to adapt them both, or that we'd end up checking the wrong one at any point in the stack. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150317011507.GC2036>