cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h
if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c
pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c
oberman at es.net
Fri Feb 27 11:16:04 PST 2004
> From: Sam Leffler <sam at errno.com>
> Date: Fri, 27 Feb 2004 08:18:12 -0800
> Sender: owner-cvs-all at freebsd.org
> On Friday 27 February 2004 12:28 am, Dag-Erling Sm=F8rgrav wrote:
> > Sam Leffler <sam at errno.com> writes:
> > > I made two attempts to eliminate all the ipfw-, dummmynet-, and
> > > bridge-specific code in the ip protocols but never got stuff to the
> > > point where I was willing to commit it. My main motivation for doing
> > > this was to eliminate much of the incestuous behaviour so that you
> > > could reason about locking requirements but there were other benefits
> > > (e.g. I was also trying to make the ip code more "firewall agnostic").
> > The ideal solution would be to convert the entire networking stack to
> > netgraph nodes; we could then insert filter nodes at any point in the
> > graph.
> I consider netgraph a fine prototyping system. I think that using it for
> this purpose would be a mistake.
Back about 20 years ago I took my first class on the TCP/IP stack from
Len Bosak of Stanford (before Cisco). He pointed out that most of the
layering rules for the stack were for convenience and were also ignored
when they impact performance. The very existence of ICMP is a layering
TCP/IP pre-dates the OSI reference model and really doesn't fit it. You
can't build a stack that runs reasonably without "layering violations".
These are NOT bugs!
Netgraph is a really neat way to implement things, but trying to build
the bottom layers of the stack with NG nodes would probably be futile
and would never operate well.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
More information about the cvs-all