From owner-cvs-all@FreeBSD.ORG Fri Feb 27 10:42:44 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6517916A4CE; Fri, 27 Feb 2004 10:42:44 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91B0943D2D; Fri, 27 Feb 2004 10:42:43 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (sccrmhc13) with ESMTP id <2004022718424101600569b3e>; Fri, 27 Feb 2004 18:42:42 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id KAA21032; Fri, 27 Feb 2004 10:42:40 -0800 (PST) Date: Fri, 27 Feb 2004 10:42:38 -0800 (PST) From: Julian Elischer To: Sam Leffler In-Reply-To: <200402270818.12553.sam@errno.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE X-Mailman-Approved-At: Sat, 28 Feb 2004 04:52:29 -0800 cc: Max Laier cc: Andre Oppermann cc: Steve Kargl cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org cc: Tim Robbins cc: Luigi Rizzo cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 18:42:44 -0000 On Fri, 27 Feb 2004, Sam Leffler wrote: > On Friday 27 February 2004 12:28 am, Dag-Erling Sm=F8rgrav wrote: > > Sam Leffler writes: > > > I made two attempts to eliminate all the ipfw-, dummmynet-, and > > > bridge-specific code in the ip protocols but never got stuff to the > > > point where I was willing to commit it. My main motivation for doing > > > this was to eliminate much of the incestuous behaviour so that you > > > could reason about locking requirements but there were other benefits > > > (e.g. I was also trying to make the ip code more "firewall agnostic")= =2E > > > > The ideal solution would be to convert the entire networking stack to > > netgraph nodes; we could then insert filter nodes at any point in the > > graph. >=20 > I consider netgraph a fine prototyping system. I think that using it for= this=20 > purpose would be a mistake. for the record, I agree. Netgraph is good for 3 things: 1/ general prototyping 2/ production of "strange" configurations that probably don't deserve massive development time. Kindof "one off" setups. 3/ It is actually very good at Link level stuff and is used in production for that. What it would not be good at would be handling something like the socket layer.. you can not realistically make a netgraph hook for every=20 socket in the system, and as Van jacobson points out, layer collapsing in the final production product is probably a good idea. (i.e. expediency over academic purity). Having said all that I'm sure that you COULD make a netgraph based IP stack and that it might even be useful as a second string for=20 finding bugs and prototyping stuff. =20 > =09Sam >=20 >=20