Date: Sat, 8 May 2004 20:04:40 +0200 From: Max Laier <max@love2party.net> To: Luigi Rizzo <rizzo@icir.org> Cc: Sam Leffler <sam@errno.com> Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h Message-ID: <200405082004.47121.max@love2party.net> In-Reply-To: <20040508101459.A98855@xorpc.icir.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040508152531.GA96827@hub.freebsd.org> <20040508101459.A98855@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I see that there is a different scope of "the generic way" (== firewall) and the special stuff (== sysctl et. al.) in that the sysctl tuneable checks are more or less blindly killing *everything* while a packet filter allows for fine-grained rules. I think both has application and I think both should be available, BUT it should also be possible to get rid of the "kill-all" overhead (even though I might be neglectable for any given change, the agregated overhead is still an issue). So my vote is to have a kernel option, let's call it "NOFIREWALL" (or NO_FIREWALL if that is the fav. color of the bikeshed at the moment) and wrap **all** those duplicate bits with #ifdef's. GENERIC would ship with this option turned on, but everybody that wants to build a **router** or box that needs fine-grained packet filtering can get rid of the disturbing code with one switch. Also it is easy to kill it all at once if we decide that we have default firewall code that is fast and easy enough. Another sidenote on this: I'd like to have the default install to be as RFC compliant as possible ... additional security levels should be set conscious via sysctl or rc.conf. Also I find the naming/numbering of this particular sysctl a bit "not so intuitive" as it should be called "options_process" (as the options-part is the more significant) and a higher value should mean a higher "security" level. But that are just my 2¢ as I am on it and is not to be considered as bylaw bashing. On Saturday 08 May 2004 19:14, Luigi Rizzo wrote: > On the principle, I tend to agree with Darren here... > it is not nice to replicate functionality in multiple places > by using specialized code instead of relying on (and > possibly optimizing) the generic one. It makes a lot harder > to clean up the replication later, and i believe Andre knows > that quite well given the cleanup work he has done in the past > in the network stack. > > I don't think it is worth making a bit fuss about this particular > change, but certainly, as a general principle, we should try as > much as possible to use the generic mechanisms when available -- > especialliy given that performance killers are elsewhere (locking > etc.). > > cheers > luigi > > On Sat, May 08, 2004 at 08:25:31AM -0700, Darren Reed wrote: > > On Fri, May 07, 2004 at 07:55:36AM -0700, Sam Leffler wrote: > > > Employing a packet filter is not equivalent as it requires every packet > > > to be processed while this (effectively 7-line change) adds no new > > > overhead to the normal processing path for packets. It would be nice > > > if packet filtering were cheap enough that we could use it in this way > > > but I don't think that's the case just yet. > > > > Using that argument, is that clearance to put all of the normalization > > from pf into the various parts of the networking code (not every type of > > normalisation needs to be done on every packet but it is all useful), > > with sysctls to turn it on or off, and maybe we'll add the ability to log > > packets at various points because we don't want the overhead of BPF (it > > has to process every packet too) and that's just for starters. I'm sure > > I can think of some more, in time. How about you? > > > > If there were a core@ for freebsd that was active, this is the kind of > > thing I'd be writing to them about, asking for it to be backed out. > > > > Darren -- Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAnSE/XyyEoT62BG0RAmgYAJsERWKuZp5TKjfWlcAo7vo9ww7rdQCfaOdh 7lFuSkNs+sSFKB9w55DjByY= =Gwu7 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405082004.47121.max>