Date: Sat, 2 Dec 2000 15:17:25 -0800 (PST) From: Gordon Tetlow <gordont@bluemtn.net> To: "Arthur W. Neilson III" <art@pilikia.net> Cc: stable@freebsd.org Subject: Re: Accept filters Message-ID: <Pine.BSF.4.05.10012021506460.10905-100000@sdmail0.sd.bmarts.com> In-Reply-To: <200012020939310510.17390D3C@smtp>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2 Dec 2000, Arthur W. Neilson III wrote: > I'm slowly building up a 4.2-STABLE box to replace my 3.5-STABLE firewall box and am > about to rebuild the kernel with the IPFW stuff enabled. Noticed a couple unfamiliar > options in LINT near where the IPFIREWALL stuff is, ACCEPT_FILTER_DATA > and ACCEPT_FILTER_HTTP. The extremely brief comment just says these control > wether the accept filters are statically linked or not. I suppose it's a performance > win to statically link as you don't have to allocate/free filter storage repetitively? > Should I enable these options or not? I'll give a shot at this one. Please correct me if I'm wrong. Short Answer: No. Long Answer: The accept filters delay passing off an incoming connection out of the kernel and into a userland process until some set of conditions is met. For the DATA filter, the condition is some packet must be received. For the HTTP filter, the condition is a valid set of HTTP headers must be received. Applications must be specifically written to take advantage of the filter. AFAIK the only software written for these filters is Apache 1.3.13 and higher. And for a small capacity server, you won't notice the difference. For more info read the apache docs on it at: http://www.apache.org/docs/misc/perf-bsd44.html#accf -gordon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10012021506460.10905-100000>