From owner-freebsd-ipfw@FreeBSD.ORG  Fri Oct 19 11:25:39 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53])
 by hub.freebsd.org (Postfix) with ESMTP id 633F0D03;
 Fri, 19 Oct 2012 11:25:39 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from [127.0.0.1] (hub.freebsd.org [8.8.178.136])
 by mx2.freebsd.org (Postfix) with ESMTP id 19E8D3B53B7;
 Fri, 19 Oct 2012 11:25:36 +0000 (UTC)
Message-ID: <508138A4.5030901@FreeBSD.org>
Date: Fri, 19 Oct 2012 15:25:24 +0400
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:15.0) Gecko/20121010 Thunderbird/15.0.1
MIME-Version: 1.0
To: net@freebsd.org
Subject: [RFC] Enabling IPFIREWALL_FORWARD in run-time
X-Enigmail-Version: 1.4.3
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigCA59115641B47F6217D4A48C"
Cc: ipfw@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 11:25:39 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCA59115641B47F6217D4A48C
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi All,

Many years ago i have already proposed this feature, but at that time
several people were against, because as they said, it could affect
performance. Now, when we have high speed network adapters, SMP kernel
and network stack, several locks acquired in the path of each packet,
and i have an ability to test this in the lab.

So, i prepared the patch, that removes IPFIREWALL_FORWARD option from
the kernel and makes this functionality always build-in, but it is
turned off by default and can be enabled via the sysctl(8) variable
net.pfil.forward=3D1.

	http://people.freebsd.org/~ae/pfil_forward.diff

Also we have done some tests with the ixia traffic generator connected
via 10G network adapter. Tests have show that there is no visible
difference, and there is no visible performance degradation.

Any objections?

--=20
WBR, Andrey V. Elsukov


--------------enigCA59115641B47F6217D4A48C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJQgTisAAoJEAHF6gQQyKF6+UwH/2xemnR6Si2AtLcRJrB0HpXa
Kr8r2BCyTulAdBsYBznduCj4cvhpiVrXNhqIf9y1mrY4LMz0Ci98OClOTaom82t/
/1msCig4nt61ZV5X21aQ19xzWUqu/Njx1gGz63v2dBKAyhngdJ3EjGa5sU1L2RU2
wJnJ4/iSmq1IT9Y6x0iFXG+1LZTs/Kg+/9j5G8qnTJDRP0sIRwopG4Imd5MdHOLM
KrnpCm2HMxvxq6xls4phaBy20p/Yy5LDl7iDgJLyK7Ro8TA05me6zVBzz9hnuJjJ
zN65HAMlhZsfeXb5VxRfKh11QcS8jdYhHATUSYuHIlGibdAa4Pj+hZlWzVKTS1E=
=9ra7
-----END PGP SIGNATURE-----

--------------enigCA59115641B47F6217D4A48C--