From owner-cvs-all@FreeBSD.ORG Fri Feb 27 11:16:04 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4929916A4CF; Fri, 27 Feb 2004 11:16:04 -0800 (PST) Received: from postal3.es.net (proxy.es.net [198.128.3.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17BBF43D2D; Fri, 27 Feb 2004 11:16:04 -0800 (PST) (envelope-from oberman@es.net) Received: from ptavv.es.net ([198.128.4.29]) by postal3.es.net (Postal Node 3) with ESMTP (SSL) id IBA74465; Fri, 27 Feb 2004 11:16:03 -0800 Received: from ptavv (localhost [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 2A2045D07; Fri, 27 Feb 2004 11:16:02 -0800 (PST) To: Sam Leffler In-Reply-To: Message from Sam Leffler of "Fri, 27 Feb 2004 08:18:12 PST." <200402270818.12553.sam@errno.com> Date: Fri, 27 Feb 2004 11:16:02 -0800 From: "Kevin Oberman" Message-Id: <20040227191602.2A2045D07@ptavv.es.net> X-Mailman-Approved-At: Sat, 28 Feb 2004 04:52:29 -0800 cc: Max Laier cc: Andre Oppermann cc: Tim Robbins cc: Luigi Rizzo cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org cc: Steve Kargl cc: cvs-src@FreeBSD.org cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.h if_pfsync.c if_pfsync.h pf.c pf_ioctl.c pf_norm.c pf_osfp.c pf_table.c pfvar.h src/sys/contrib/pf/netinet in4_cksum.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 19:16:04 -0000 > From: Sam Leffler > Date: Fri, 27 Feb 2004 08:18:12 -0800 > Sender: owner-cvs-all@freebsd.org > > On Friday 27 February 2004 12:28 am, Dag-Erling Sm=F8rgrav wrote: > > Sam Leffler writes: > > > I made two attempts to eliminate all the ipfw-, dummmynet-, and > > > bridge-specific code in the ip protocols but never got stuff to the > > > point where I was willing to commit it. My main motivation for doing > > > this was to eliminate much of the incestuous behaviour so that you > > > could reason about locking requirements but there were other benefits > > > (e.g. I was also trying to make the ip code more "firewall agnostic"). > > > > The ideal solution would be to convert the entire networking stack to > > netgraph nodes; we could then insert filter nodes at any point in the > > graph. > > I consider netgraph a fine prototyping system. I think that using it for > this purpose would be a mistake. Back about 20 years ago I took my first class on the TCP/IP stack from Len Bosak of Stanford (before Cisco). He pointed out that most of the layering rules for the stack were for convenience and were also ignored when they impact performance. The very existence of ICMP is a layering violation! TCP/IP pre-dates the OSI reference model and really doesn't fit it. You can't build a stack that runs reasonably without "layering violations". These are NOT bugs! Netgraph is a really neat way to implement things, but trying to build the bottom layers of the stack with NG nodes would probably be futile and would never operate well. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634