Date: Thu, 28 Jun 2001 23:00:47 -0700 From: Julian Elischer <julian@elischer.org> To: Nicolai Petri <freebsd@petri.cc> Cc: freebsd-hackers@freebsd.org Subject: Re: An netgraph firewall module ? Is this possible / good performing ? Message-ID: <3B3C198F.F21EABB3@elischer.org> References: <008e01c0fafd$034e8000$8632a8c0@atomic.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Nicolai Petri wrote:
>
> Hi hackers,
>
> I've used some time writing a custom natd like daemon which makes som
> speciel packet processing.
> One of the issues with the natd approach is the large amount of
> context-switches it gives.
> This can be a real performance problem on very loaded networks. Would it be
> possible to do this with netgraph instead. And what is the pro's and con's
> for this approach.
>
> As a second step in developement how should protocol verification
> (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured
> and dynamic extendable way ?
Unfortunatly, the netgraph code does not have a hook into the IP
code so at this time you cannot pass packets into the
IP protocol and have them then go to netgraph.
You could however put a filter onto the ethernet interface, but then you'd have
to take into account the 14 byte header too.
>
> Best regards,
> Nicolai Petri
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
--
+------------------------------------+ ______ _ __
| __--_|\ Julian Elischer | \ U \/ / hard at work in
| / \ julian@elischer.org +------>x USA \ a very strange
| ( OZ ) \___ ___ | country !
+- X_.---._/ presently in San Francisco \_/ \\
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B3C198F.F21EABB3>