From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 06:57:04 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D5616A4DD for ; Wed, 26 Jul 2006 06:57:04 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92E2943D46 for ; Wed, 26 Jul 2006 06:57:03 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so2666297pyb for ; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sAvJ9XN2/TJk/KMc4beUiRkefvntvvwarDQ8reoa2HcArrrJoj/pZgC64uqD7t8ZL+3+0ilyirIApa0DIr2fvlMwZgwS4kCvAZ8E201Aqz4MCPZsqOU/fkyvSHFnFv4fKQ6nyDNR/Rc0bbKSi/2Eh0UmyvMigl4cJMqFboABQNY= Received: by 10.35.121.9 with SMTP id y9mr10783134pym; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Tue, 25 Jul 2006 23:57:02 -0700 (PDT) Message-ID: Date: Wed, 26 Jul 2006 01:57:02 -0500 From: "Travis H." To: samba In-Reply-To: <44C6EB01.2050303@embeddedinfotech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44C6EB01.2050303@embeddedinfotech.com> Cc: freebsd-pf@freebsd.org Subject: Re: Porting proxies/ALGs into to the kernel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 06:57:04 -0000 On 7/25/06, samba wrote: > a) Would it not be a big overhead to move packets to and fro the user > space and kernel space. Also considering my case where the box is memory > constraint, so i would want to keep the number of user spaces > process/tasks to a minimum. Yes, crossing the kernel/user boundary is expensive, and that's why things like BPF exist, to do the filtering in kernel space and only passing matches to userspace (libpcap). > b) Would it be a good idea to port the ALGs into the kernel, the way > IPFILTER or Netfilter does it. Depends on what you mean by "good". Certainly it would be more efficient, but you pay a price in stability -- an error in the code stands a good chance of crashing the machine. I suspect you'll also find memory management in kernel space a bit trickier than userland. Your questions hint at a fairly ambitious project, are you an experienced kernel coder? If not, it may be too ambitious. If I were you, I'd do the development under VMWare or something like that, because you'll be crashing a lot, and it's somewhat difficult to diagnose kernel errors if you're not in a virtual machine, not to mention the annoying bit about waiting for it to reboot each time you discover a new error. I don't have any hard numbers on it, but 32MB is pretty small. You'll probably be doing a lot of work just to keep the memory footprint small enough. If you decide to go this route, I humbly suggest you write the ALGs as userland processes first, and then see if you can shrink them down and move them into kernel space. You may find that there's just no way to cram them into 32MB, and save yourself a lot of work by reaching that conclusion earlier. -- "if you're not part of the solution, you're part of the precipitate" Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484