From owner-freebsd-hackers  Fri Jun 29  6:43: 9 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9])
	by hub.freebsd.org (Postfix) with ESMTP id 9489637B406
	for <freebsd-hackers@freebsd.org>; Fri, 29 Jun 2001 06:43:06 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from elischer.org (InterJet.elischer.org [192.168.1.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id IAA98603;
	Fri, 29 Jun 2001 08:14:08 -0700 (PDT)
Message-ID: <3B3C198F.F21EABB3@elischer.org>
Date: Thu, 28 Jun 2001 23:00:47 -0700
From: Julian Elischer <julian@elischer.org>
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386)
X-Accept-Language: en, hu
MIME-Version: 1.0
To: Nicolai Petri <freebsd@petri.cc>
Cc: freebsd-hackers@freebsd.org
Subject: Re: An netgraph firewall module ? Is this possible / good performing ?
References: <008e01c0fafd$034e8000$8632a8c0@atomic.dk>
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Nicolai Petri wrote:
> 
> Hi hackers,
> 
> I've used some time writing a custom natd like daemon which makes som
> speciel packet processing.
> One of the issues with the natd approach is the large amount of
> context-switches it gives.
> This can be a real performance problem on very loaded networks. Would it be
> possible to do this with netgraph instead. And what is the pro's and con's
> for this approach.
> 
> As a second step in developement how should protocol verification
> (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured
> and dynamic extendable way ?

Unfortunatly, the netgraph code does not have a hook into the IP
code so at this time you cannot pass packets into the 
IP protocol and have them then go to netgraph.

You could however put a filter onto the ethernet interface, but then you'd have
to take into account the 14 byte header too.

> 
> Best regards,
> Nicolai Petri
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message

-- 
+------------------------------------+       ______ _  __
|   __--_|\  Julian Elischer         |       \     U \/ / hard at work in 
|  /       \ julian@elischer.org     +------>x   USA    \ a very strange
| (   OZ    )                                \___   ___ | country !
+- X_.---._/    presently in San Francisco       \_/   \\
          v



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message