From owner-freebsd-net@FreeBSD.ORG Wed Dec 15 11:04:12 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAA3B16A4CE for ; Wed, 15 Dec 2004 11:04:12 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D48C243D2D for ; Wed, 15 Dec 2004 11:04:11 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 34700 invoked from network); 15 Dec 2004 10:52:54 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 15 Dec 2004 10:52:54 -0000 Message-ID: <41C01A2C.24104876@freebsd.org> Date: Wed, 15 Dec 2004 12:04:12 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Gleb Smirnoff References: <41BEF2AF.470F9079@freebsd.org> <20041215091135.GC53509@cell.sick.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters, design approach X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 11:04:12 -0000 Gleb Smirnoff wrote: > > On Tue, Dec 14, 2004 at 03:03:27PM +0100, Andre Oppermann wrote: > A> d1. The PFIL_HOOKS API has one hook per direction per protocol and > A> passes the interface information to the firewall package. > A> d2. Should the PFIL_HOOKS API be changed and be per interface instead > A> of per protocol? All firewall packages need to be modified and > A> we are no longer compatible with the PFIL_HOOKS API. > > s/API/usage/g See my previous mail why your proposal is broken by design. > Andre, you are the person, who is optimizing our IP stack. Can you ask > this question, please: if the interface has no filters associated with it, > why the hell the packets running on it would enter firewall functions? Listen Gleb, first and formost I'm cleaning up network stack from years of bolt-on hackery to make it maintainable and easily understandable and extendable again. If there is a trade-off to be made between a few CPU cycles wasted with a clean and structured design versus some hackery pseudo-optimization I'm going to do the former. This is always the more viable choice. When looking at the BSD history one thing stands out: Wherever we had a very clean, concise and documented API (for example protocol independent sockets) things started to fly. In the network area we have the protosw structure and API which allows to add any type of network protocol very easily into the kernel. This has allowed BSD to support many different network protocols. Most recently IPv6. The price to pay for the small indirection protosw has is nothing compared to the adavantages of a good and clean API design. History tells us that sticking to certain design principals pays off very well and is worth some amount of performance tradeoffs. Feel free to ask Kirk McKusick on this lession of history. -- Andre