Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Feb 2004 11:16:02 -0800
From:      "Kevin Oberman" <oberman@es.net>
To:        Sam Leffler <sam@errno.com>
Cc:        Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no>
Subject:   Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c 
Message-ID:  <20040227191602.2A2045D07@ptavv.es.net>
In-Reply-To: Message from Sam Leffler <sam@errno.com>  of "Fri, 27 Feb 2004 08:18:12 PST." <200402270818.12553.sam@errno.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
> From: Sam Leffler <sam@errno.com>
> Date: Fri, 27 Feb 2004 08:18:12 -0800
> Sender: owner-cvs-all@freebsd.org
> 
> On Friday 27 February 2004 12:28 am, Dag-Erling Sm=F8rgrav wrote:
> > Sam Leffler <sam@errno.com> writes:
> > > I made two attempts to eliminate all the ipfw-, dummmynet-, and
> > > bridge-specific code in the ip protocols but never got stuff to the
> > > point where I was willing to commit it.  My main motivation for doing
> > > this was to eliminate much of the incestuous behaviour so that you
> > > could reason about locking requirements but there were other benefits
> > > (e.g. I was also trying to make the ip code more "firewall agnostic").
> >
> > The ideal solution would be to convert the entire networking stack to
> > netgraph nodes; we could then insert filter nodes at any point in the
> > graph.
> 
> I consider netgraph a fine prototyping system.  I think that using it for
> this purpose would be a mistake.

Back about 20 years ago I took my first class on the TCP/IP stack from
Len Bosak of Stanford (before Cisco). He pointed out that most of the
layering rules for the stack were for convenience and were also ignored
when they impact performance. The very existence of ICMP is a layering
violation!

TCP/IP pre-dates the OSI reference model and really doesn't fit it. You
can't build a stack that runs reasonably without "layering violations".
These are NOT bugs!

Netgraph is a really neat way to implement things, but trying to build
the bottom layers of the stack with NG nodes would probably be futile
and would never operate well.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040227191602.2A2045D07>