per-interface packet filters [summary]
Max Laier
max at love2party.net
Tue Dec 14 06:21:12 PST 2004
On Tuesday 14 December 2004 15:03, Luigi Rizzo wrote:
> On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote:
> ...
>
> > > Implementationwise, the kernel side is evidently trivial as the
> > > original code already supports the idea of multiple chains. All
> > > you need is to extend the struct ifnet with a pointer to the chain,
> > > or use some other trick (e.g. going through ifindex) to quickly
> > > associate a chain to the input (and possibly output) interface.
> >
> > Nonononononononononononononononononononononono.
>
> andre you need to cool down a bit!
We should all.
> i said "use some other trick" exactly to avoid changing
> the struct ifnet. All i meant to say is that we want a unique
> key, possibly in a small namespace, to quickly locate the per-if
> private firewall info. How the key is used is not a business of
> the rest of the kernel. But of course if it is an index in a
> smallish array (such as ifindex) the thing is fast and clean.
Well spoken! Let's just *not* go linux here and have a "hook" on every layer
over and over and over again [1] ... because that certainly does *not* help
performance.
There is always room for optimization *within* the filter. Messing struct
ifnet or other parts of the kernel with firewall information is not the way
to go.
[1] http://fxr.watson.org/fxr/ident?v=linux-2.6.9;i=NF_HOOK
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20041214/e90c1030/attachment.bin
More information about the freebsd-net
mailing list