From owner-freebsd-hackers Sat Jun 19 8:26:42 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from osgroup.com (unknown [38.229.41.6]) by hub.freebsd.org (Postfix) with ESMTP id 296551517D for ; Sat, 19 Jun 1999 08:26:34 -0700 (PDT) (envelope-from stan@osgroup.com) Received: from stan166 ([38.229.41.237]) by osgroup.com (8.7.6/8.6.12) with SMTP id KAA15113 for ; Sat, 19 Jun 1999 10:15:26 -0500 Received: by localhost with Microsoft MAPI; Sat, 19 Jun 1999 10:28:13 -0500 Message-ID: <01BEBA3E.6F913AC0.stan@osgroup.com> From: Constantine Shkolny Reply-To: "stan@osgroup.com" To: "hackers@FreeBSD.ORG" Subject: ipfilter (was: RE: Introduction) Date: Sat, 19 Jun 1999 10:28:12 -0500 Organization: Ashley Laurent, Inc. X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi All, I'm now analyzing ipfilter in 3.2 and our goal is to port our IPSec/firewall. I'm still in the beginning of reading the code so, at this time, I can't yet tell how nice it fits our needs. I just have some concerns which I'd like the people who are going to re-design the ipfilter to hear. I wouldn't be surprised to learn that you are already thinking about this, however, it's nice to know it for certain :-) The things in the IPSec field are seemingly moving to using hardware accelerators for doing compression/encryption/authentication. This means that IP filters need to grab some of IP packets, process them on a specialized prosessor and then re-inject them into the IP packet stream. That is, the filter may decide to convert the packet, but it doesn't have it ready-to-go when it has to return. However, it may have it ready at some later time, possibly when it processes a hardware interrupt and sees that the co-processor has finished its work on the packet. Can ipfilter handle this? Thank you, Stan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message