cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h

Sat May 8 13:42:47 PDT 2004

On Sat, 8 May 2004, Darren Reed wrote:

> On Fri, May 07, 2004 at 07:55:36AM -0700, Sam Leffler wrote:
> > 
> > Employing a packet filter is not equivalent as it requires every packet to be 
> > processed while this (effectively 7-line change) adds no new overhead to the 
> > normal processing path for packets.  It would be nice if packet filtering 
> > were cheap enough that we could use it in this way but I don't think that's 
> > the case just yet.
> 
> Using that argument, is that clearance to put all of the normalization
> from pf into the various parts of the networking code (not every type of
> normalisation needs to be done on every packet but it is all useful),
> with sysctls to turn it on or off, and maybe we'll add the ability to
> log packets at various points because we don't want the overhead of BPF
> (it has to process every packet too) and that's just for starters.  I'm
> sure I can think of some more, in time.  How about you? 
> 
> If there were a core@ for freebsd that was active, this is the kind of
> thing I'd be writing to them about, asking for it to be backed out. 

Actually, my impression is that Andre didn't make this change for the
reason you may think he did.  This isn't about ignoring insecure options,
and adding yet more tunables to disable classes on insecure or possibly
insecure processing, it's about allowing the administrative disabling of
exceptional case "slow path" forwarding as found in most high speed
routers.  These routers frequently simply ignore options in fast path
processing, and also frequently don't have a slow path.  Using general
purpose packet filtering is precisely what he doesn't want to do in order
to have optimized fast path forwarding.  Instead, he wants to be able to
configure the system to not perform certain sorts of processing that are
typically not required in that environment.  That's very different from
the goal of packet filtering and rewriting for security purposes.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research