Date: Sun, 24 Aug 2008 03:18:37 +0400 From: Roman Kurakin <rik@inse.ru> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-net@freebsd.org Subject: Re: [Fwd: IPFW PATCH: make the IPFW_DEFUALT_RULE number constant non private] Message-ID: <48B09ACD.1050600@localhost.inse.ru> In-Reply-To: <20080823231407.GA76471@onelab2.iet.unipi.it> References: <48B07DC5.2030203@localhost.inse.ru> <20080823214452.GA75815@onelab2.iet.unipi.it> <48B08946.6030109@localhost.inse.ru> <20080823231407.GA76471@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > On Sun, Aug 24, 2008 at 02:03:50AM +0400, Roman Kurakin wrote: > ... > >>> unless the tools you have in mind already include ip_fw.h (in which case >>> the change is harmless and I have no objection), i think it would be better >>> to export the value in a sysctl and let the tools fetch it from there, >>> so they do not need to include the header. >>> >>> >> In fact, I am talking about ipfw(8) and natd(8). The first one uses >> hard-coded value, the last one >> pass rulenumbers to libalias(3) without a check, libalias(3) flushes >> > ... > >> IIRC the natd(8) doesn't include ip_fw.h, but I do not see why it would >> be better to export >> this value via sysctl, not compiled in via #include<> for it. The only >> > > because ip_fw.h has a lot of stuff in it which in turn is likely > to require more headers to build correctly. This is unnecessary bloat > at compile time, and also less practical than the sysctl-based approach > because it requires a binary update if the value ever changes. > > Besides, implementing the sysctl does not require to change the > headers (thus saving rebuilds of the objects that depend on it), > is one line in one file (ip_fw2.c) in the kernel, and one line to > call sysctlbyname() in each of the userland program, which you'd > need to change anyways; and because both ipfw(8) and natd(8) already > use sysctl/sysctlbyname to read/write other similar values from the > kernel, you are more consistent with the existing code and don't > even need additional headers. > Agreed, but including ip_fw.h for natd.c does not require any additional headers. All that needed looks like already there. If some one point me to other utilities that need to be fixed I'll also a sysctl for them. These two already include enough of netinet includes, so if you not strictly against adding just one more include for natd, I'll prefer not to add a sysctl by right now. rik > At runtime the sysctl is obviously more expensive than reading a > hardwired constant, but still a whole lot cheaper than the subsequent > action (adding a rule to the firewall) so one won't notice. > > cheers > luigi > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48B09ACD.1050600>