From owner-freebsd-net Tue May 19 15:10:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29378 for freebsd-net-outgoing; Tue, 19 May 1998 15:10:41 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29321 for ; Tue, 19 May 1998 15:10:22 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id WAA12885; Tue, 19 May 1998 22:10:09 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id AAA00228; Wed, 20 May 1998 00:10:08 +0200 (MET DST) Message-ID: <19980520001008.55413@follo.net> Date: Wed, 20 May 1998 00:10:08 +0200 From: Eivind Eklund To: Luigi Rizzo Cc: kjc@csl.sony.co.jp, net@FreeBSD.ORG Subject: Re: struct ifnet handling... References: <19980519211917.64952@follo.net> <199805191942.VAA10394@labinfo.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199805191942.VAA10394@labinfo.iet.unipi.it>; from Luigi Rizzo on Tue, May 19, 1998 at 09:42:28PM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 19, 1998 at 09:42:28PM +0200, Luigi Rizzo wrote: > > Sure. This is a result of the initial implementation not being > > chains-oriented. There are a lot of rules that we're certain > > but "chains" can be emulated with relative ease and efficiency > using optimized SKIPTO instructions. Are you talking about automatically or by the user? If you're talking about the user level, I think that is loading a lot of things on the user that doesn't belong there. Rules should be written for clarity, not speed (just like code) - optimization should only happen when it is necessary. In this case, it is not necessary for the user to optimize. If you're talking system level: Yes, you can emulate it, but here you would want to use something that can 'run a packet' like a chain, to allow flexibility. > Possibly we can have a 'switch' type of instruction to speed up > initial selections basing on source/dst interface, or protocol types > (small sets, in any case). We can, but it makes the later job of doing _real_ optimization harder. If I find time for it, the final target will be generating machine code that correspond to the route- and firewall tables. > I am a bit reluctant on using pre-defined chains. it looks too high > level, and i cannot tell very well if the mechanism is too strict, > useful or overkill. I'm not certain what you mean by 'pre-defined chains'. I pointed out where there were logical splits, based on an automated transform of rules. These differences _are_ there, no matter what - there are those 6 classes of rules (at least). BTW: The concept of 'chains' are used on the Ciscos (there called 'rule lists' IIRC). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message