Date: Tue, 27 Jan 2015 23:39:17 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Antoine Beaupr? <anarcat@koumbit.org> Cc: freebsd-net@freebsd.org, wishmaster <artemrts@ukr.net> Subject: Re: is polling still a thing? Message-ID: <20150127223917.GA21883@onelab2.iet.unipi.it> In-Reply-To: <87pp9zc1wk.fsf@marcos.anarc.at> References: <871tmgceup.fsf@marcos.anarc.at> <1422384769.867067950.y2iiuu53@frv34.fwdcdn.com> <87pp9zc1wk.fsf@marcos.anarc.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 27, 2015 at 05:08:27PM -0500, Antoine Beaupr? wrote: > On 2015-01-27 13:57:20, wishmaster wrote: > > Have you consider to use netmap-based ipfw instead pf in DDoS mitigation? I think you should. And without any network ''haks'' like polling. > > My understanding of netmap was that it wasn't useful for packet > forwarding, because its design is for transmitting packets directly to > userland faster, whereas routers dataflow stay mostly in the router... i think the suggestion was to have let netmap-ipfw drop the traffic you don't want to deal with, and then inject the remaining ones into the kernel where the processing occurs -- possibly even using pf or a different firewall There are people using netmap-ipfw on external physical boxes exactly in this way -- as a "bump in the wire", but it is trivial to run it on the same machine. cheers luigi > I'm hesitant in switching back to ipfw, considering how nice the > featureset and syntax of pf is. But if that's what's needed to restore > sanity... > > a. > > -- > Celui qui sait jouir du peu qu'il a est toujours assez riche. > - Démocrite > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150127223917.GA21883>