Date: Fri, 27 Feb 2004 11:16:02 -0800 From: "Kevin Oberman" <oberman@es.net> To: Sam Leffler <sam@errno.com> Cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no> Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <20040227191602.2A2045D07@ptavv.es.net> In-Reply-To: Message from Sam Leffler <sam@errno.com> of "Fri, 27 Feb 2004 08:18:12 PST." <200402270818.12553.sam@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: Sam Leffler <sam@errno.com> > Date: Fri, 27 Feb 2004 08:18:12 -0800 > Sender: owner-cvs-all@freebsd.org > > On Friday 27 February 2004 12:28 am, Dag-Erling Sm=F8rgrav wrote: > > Sam Leffler <sam@errno.com> writes: > > > I made two attempts to eliminate all the ipfw-, dummmynet-, and > > > bridge-specific code in the ip protocols but never got stuff to the > > > point where I was willing to commit it. My main motivation for doing > > > this was to eliminate much of the incestuous behaviour so that you > > > could reason about locking requirements but there were other benefits > > > (e.g. I was also trying to make the ip code more "firewall agnostic"). > > > > The ideal solution would be to convert the entire networking stack to > > netgraph nodes; we could then insert filter nodes at any point in the > > graph. > > I consider netgraph a fine prototyping system. I think that using it for > this purpose would be a mistake. Back about 20 years ago I took my first class on the TCP/IP stack from Len Bosak of Stanford (before Cisco). He pointed out that most of the layering rules for the stack were for convenience and were also ignored when they impact performance. The very existence of ICMP is a layering violation! TCP/IP pre-dates the OSI reference model and really doesn't fit it. You can't build a stack that runs reasonably without "layering violations". These are NOT bugs! Netgraph is a really neat way to implement things, but trying to build the bottom layers of the stack with NG nodes would probably be futile and would never operate well. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227191602.2A2045D07>