Porting proxies/ALGs into to the kernel
samba
samba at embeddedinfotech.com
Wed Jul 26 04:09:41 UTC 2006
Hi all,
I am planning to use Packet Filter as a firewall/NAT for my VPN box
which runs VxWorks. It has 32 MB of RAM. I need to support some of the
popular services for machines behind the NAT like FTP, H.323, Real
Audio, NetBIOS, DNS, RTSP, SIP. The standard OpenBSD way of doing things
afaik is to redirect the traffic to the user space and let the proxy
daemons deal with it. My questions are:
a) Would it not be a big overhead to move packets to and fro the user
space and kernel space. Also considering my case where the box is memory
constraint, so i would want to keep the number of user spaces
process/tasks to a minimum.
b) Would it be a good idea to port the ALGs into the kernel, the way
IPFILTER or Netfilter does it.
c) Would it be feasible to re-model PF such that rule matches (eg: IP
address match, interface match) and targets (filter, redirect, DNAT,
SNAT) can be registered.
so that additional matches and targets can be added without much
change in the core firewall code.
Please let me know your opinion regarding this.
thanks & regards
samba
More information about the freebsd-pf
mailing list