From owner-freebsd-net@FreeBSD.ORG Fri Oct 19 11:47:11 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC093305; Fri, 19 Oct 2012 11:47:10 +0000 (UTC) (envelope-from zam4ever@gmail.com) Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 655C58FC08; Fri, 19 Oct 2012 11:47:10 +0000 (UTC) Received: by mail-qa0-f54.google.com with SMTP id p27so67209qat.13 for ; Fri, 19 Oct 2012 04:47:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KCt2rbM2J0//nzGbRbVss9xuEKCsfdhls/n/5ye2RJE=; b=ysfoB5JETcdWj7wpywQ8gZJG837a3N1HcUGudlE1YaInSeL3tXjMtDS5pH2m0M1zVA OBAxH8ouBtesyLr2Tu2eDAJbktBrZSLJzAH7QJr/R/oRQy8UG5/e481saxOTKiPvqpWU i4eTXO7MOeakEo705nqHo4eoAFp5Lv2J6v/5cmE19aNHB8rStwVetSC1KtrCkw2gQoWR Xq+5KY2+C6JEfLpkkSFdEgNtzDwQlsM+mOlEY8Utwb8pCAcCv6USKoTbEpNW+hUxMKYF D+UdnAAyctuXHNRZiE7gFKmglLRhbAYkImso16z2hIg1EyeHk14aVxEaRdPs1NqQilaD 24LA== MIME-Version: 1.0 Received: by 10.224.168.136 with SMTP id u8mr602590qay.17.1350647223650; Fri, 19 Oct 2012 04:47:03 -0700 (PDT) Received: by 10.49.117.134 with HTTP; Fri, 19 Oct 2012 04:47:03 -0700 (PDT) Received: by 10.49.117.134 with HTTP; Fri, 19 Oct 2012 04:47:03 -0700 (PDT) In-Reply-To: <508138A4.5030901@FreeBSD.org> References: <508138A4.5030901@FreeBSD.org> Date: Fri, 19 Oct 2012 19:47:03 +0800 Message-ID: Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time From: Zamri Besar To: "Andrey V. Elsukov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: ipfw@freebsd.org, net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2012 11:47:11 -0000 On Oct 19, 2012 7:25 PM, "Andrey V. Elsukov" wrote: > > Hi All, > > Many years ago i have already proposed this feature, but at that time > several people were against, because as they said, it could affect > performance. Now, when we have high speed network adapters, SMP kernel > and network stack, several locks acquired in the path of each packet, > and i have an ability to test this in the lab. > > So, i prepared the patch, that removes IPFIREWALL_FORWARD option from > the kernel and makes this functionality always build-in, but it is > turned off by default and can be enabled via the sysctl(8) variable > net.pfil.forward=1. > > http://people.freebsd.org/~ae/pfil_forward.diff > > Also we have done some tests with the ixia traffic generator connected > via 10G network adapter. Tests have show that there is no visible > difference, and there is no visible performance degradation. > > Any objections? > > -- > WBR, Andrey V. Elsukov > This is what I want many years ago too... ;) I vote for "yes"