cvs commit: src/sys/conf files options src/sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h src/sys/i386/conf GENERIC LINT src/sys/netinet ip_input.c ip_output.c ip_var.h src/sys/netinet6 ip6_forward.c ip6_input.c ...

Richard Coleman richardcoleman at mindspring.com
Thu Dec 4 18:30:02 PST 2003


Max Laier wrote:
 >     Making PFIL_HOOKS default in the kernel leads to some perf. loss
 >     in the general case which we don't want to happen.  One way of
 >     solving this problem is to create extern pfil_hook_ pointers
 >     which are tested for by the ip_input/ip_output code, and if the
 >     pointers are not NULL, then they are called; similar to the way
 >     it is done with the NetGraph code.
All the overhead required now comes from the required function call to 
pfil_run_hooks(), which would be eliminated if the compiler/linker 
allows inlining external objects. With your suggestion you will impose 
additional overhead (though testing a pointer isn't that expensive) to 
the pfil case. I do agree however, that there might be better ways to 
handle this. Loading pfil_hooks as a seperate module isn't that good IMO.

 >     This way, we can load the PFIL_HOOKS functionality as a module
 >     and also have the packet filtering work.  I do not have any
 >     patches for this at the moment, but this is the general idea
 >     that was agreed upon, but no one got around to do it.
Can you point me at the discussion in current@, please? Must have missed 
it and can't find it atm :-\
The discussion on FreeBSD-hackers today leads me to believe the 
PFIL_HOOKS will be turned on in FreeBSD-5.3 by default.  Then ipf and 
ipfw will work out of the box (as modules).

Richard Coleman
richardcoleman at xxxxxxxxxxxxxx





More information about the Commits mailing list