From owner-freebsd-current Fri Dec 20 20:53:54 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C70937B401 for ; Fri, 20 Dec 2002 20:53:52 -0800 (PST) Received: from mta03ps.bigpond.com (mta03ps.bigpond.com [144.135.25.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id C302243EDA for ; Fri, 20 Dec 2002 20:53:50 -0800 (PST) (envelope-from darrenr@reed.wattle.id.au) Received: from CPE-61-9-164-106.vic.bigpond.net.au ([144.135.25.78]) by mta03ps.bigpond.com (Netscape Messaging Server 4.15 mta03ps Jul 16 2002 22:47:55) with SMTP id H7GDLI00.70U for ; Sat, 21 Dec 2002 14:53:42 +1000 Received: from CPE-203-51-160-253.vic.bigpond.net.au ([203.51.160.253]) by PSMAM04.mailsvc.email.bigpond.com(MailRouter V3.0n 98/30608284); 21 Dec 2002 14:53:42 Received: (from root@localhost) by CPE-61-9-164-106.vic.bigpond.net.au (8.11.0/8.11.0) id gBL4qwo23151; Sat, 21 Dec 2002 15:52:58 +1100 From: Darren Reed Message-Id: <200212210452.PAA21280@avalon.reed.wattle.id.au> Subject: Re: PFIL_HOOKS should be made default in 5.0 In-Reply-To: <3E03BC72.422C971F@mindspring.com> To: Terry Lambert Date: Sat, 21 Dec 2002 15:52:51 +1100 Cc: Sergey Mokryshev , Vallo Kallaste , Sam Leffler , Hiten Pandya , Darren Reed , current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99d (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In some email I received from Terry Lambert, sie wrote: > Sergey Mokryshev wrote: > > Unfortunately nobody cares to look into PR database (conf/44576) > > > > In case PFIL_HOOKS really slows IP processing I don't mind keeping this > > out of GENERIC, however it should be noted in UPDATING and release notes. > > > > I did not do any time consuming searches the first time I tried to load > > ipl.ko, but I've spent some time reading NOTES before upgrading to > > -CURRENT and I am using IP Filter for about three years now on Solaris > > and FreeBSD (thanks, Darren). > > > > IMHO GENERIC is not supposed to be fast, but to be useable out-of-the box. > > This is a reasonable argument... if it's possible to tune it so > that it's fast. Hacking in the IP Filter hooks unonditionally > for code that can't really be distributed as part of the system > because of its license, and thus making things slower, with no > chance to make them faster later, is not my idea of A Really > Good Thing(tm). I don't understand this paragraph at all. pfil(9) comes from NetBSD. It's not quite upto date with the NetBSD code because I'm waiting for them to sort out how to deal with bridging before updating again. The purpose of pfil(9) is not to facilitate ipfilter but to act as a mechanism for anything to filter packets to use it as the way to receive packets. Ideally ipfw* should also use pfil(9) and not have those large chunks of code in ip_{in,out}put.c. > Probably the correct thing to do is to wire in ipfilter as a > Netgraph module. If/when the joining between layer 2 and layer 3 in the kernel uses netgraph rather than the current mechanisms, then it would be appropriate to use netgraph for ipfilter. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message