From owner-p4-projects@FreeBSD.ORG Thu Dec 7 16:28:26 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 64C4116A4C9; Thu, 7 Dec 2006 16:28:26 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35A4B16A415; Thu, 7 Dec 2006 16:28:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E676E43F12; Thu, 7 Dec 2006 16:13:14 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9F27B46F9A; Thu, 7 Dec 2006 11:14:06 -0500 (EST) Date: Thu, 7 Dec 2006 16:14:06 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Gleb Smirnoff In-Reply-To: <20061207124112.GW32700@FreeBSD.org> Message-ID: <20061207160859.V50906@fledge.watson.org> References: <200612062319.kB6NJgsq031755@repoman.freebsd.org> <20061207110225.GU32700@FreeBSD.org> <4578070A.2030609@freebsd.org> <20061207124112.GW32700@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Perforce Change Reviews , Andre Oppermann , Paolo Pisati Subject: Re: PERFORCE change 111230 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 16:28:26 -0000 On Thu, 7 Dec 2006, Gleb Smirnoff wrote: > A> >this isn't a fix. Another application will do write(,, 16k + 1) and > A> >m_jumbo16pullup() will fail again. Please backout it, it is a hack. > A> > > A> >We need to fix TSO in such way that real packets, that will be > A> >transmitted to wire, will be passed to pfil handlers. > A> > A> That is not possible. > > ATM this should be at least documented behavior. And a solution should be > thought, because pfil must see real packets, not their precursors. This tension will always exist with offloaded services. tcpdump sees "corrupted" checksums on transmitted packets, and now it sees "long" TCP packets. Likewise, with reassembly offload, they'll come from the card in a reassembled form (this is present in the Neterion cards, which can do fragment reassembly, etc, in hardware, and pass a large datagram up the stack). I don't see any way of getting around the fact that IP processing happens before or after the firewall in the New World Order. If a firewall really wants to see the packets as they will be transmitted, it can always do the fragmentation and checksumming itself. However, this is pretty undesirable from a performance perspective. I think pfil seeing the cards as they transit the IP layer is the right approach. Robert N M Watson Computer Laboratory University of Cambridge