Date: Wed, 26 Jul 2006 09:39:37 +0530 From: samba <samba@embeddedinfotech.com> To: freebsd-pf@freebsd.org Subject: Porting proxies/ALGs into to the kernel Message-ID: <44C6EB01.2050303@embeddedinfotech.com>
next in thread | raw e-mail | index | archive | help
Hi all, I am planning to use Packet Filter as a firewall/NAT for my VPN box which runs VxWorks. It has 32 MB of RAM. I need to support some of the popular services for machines behind the NAT like FTP, H.323, Real Audio, NetBIOS, DNS, RTSP, SIP. The standard OpenBSD way of doing things afaik is to redirect the traffic to the user space and let the proxy daemons deal with it. My questions are: a) Would it not be a big overhead to move packets to and fro the user space and kernel space. Also considering my case where the box is memory constraint, so i would want to keep the number of user spaces process/tasks to a minimum. b) Would it be a good idea to port the ALGs into the kernel, the way IPFILTER or Netfilter does it. c) Would it be feasible to re-model PF such that rule matches (eg: IP address match, interface match) and targets (filter, redirect, DNAT, SNAT) can be registered. so that additional matches and targets can be added without much change in the core firewall code. Please let me know your opinion regarding this. thanks & regards samba
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44C6EB01.2050303>