GENERIC and firewall modules

Erik P. Skaalerud erik at pentadon.com
Tue May 25 18:51:42 PDT 2004


As with the current GENERIC, PFIL_HOOKS are not enabled by default.

Any reasons for this? I dont know abotu the ipfw module, but the 
ipfilter module (ipl) can not load without PFIL in kernel.

Perhaps it could be made default in GENERIC?
    Last time I checked, PFIL_HOOKS degrades the performance of
    input/output path.  People who do not use a firewall solution
    the additional processing is pointless.
    FreeBSD guys only added it due to mass requests of firewall
    module brokenness.  In my opinion, it would be better to just
    compile-in your firewall with a modified configuration; but
    as I said, that is my opinion.
Yes, I do compile in firewall in kernel. But some people maybe dont. Or 
just need to load a firewall module in a quick hurry.
I really dont see the point of building firewall modules when the kernel 
afterall has to be rebuilt to make the modules work.

Could someone check if PFIL_HOOKS decreases system performance when not 
having any firewall activated?

Erik





More information about the Kernel mailing list