DragonFly-1.0 RELEASED!
Matthew Dillon
dillon at apollo.backplane.com
Mon Jul 12 15:09:51 PDT 2004
:> Even if we do bring in PF and stick with it, we will still need
:> to make significant number of changes to make it properly work
:> with our networking model.
:
:That means porting PF is impossible ?
:I really don't know how PF works (internal) and why it's incompatible with the
:current network model but is possible to start a port or is it better to write
:a new packet filter ?
:What I want from PF is AltQ than the firewall (I currently use ipf/ipnat).
:
:Regards,
:
:F.Julien
I wouldn't say impossible. The issue with PF, as with all the
packet filter engines, is that they are not designed for MP systems.
This doesn't mean we can't run them, but it does mean we either have
to run them as a degenerate single-threaded case (which is how we handle
packet fragments at the moment, by the way), or we have to make the
filter(s) MP safe - probably through table replication across available
cpus, at least for the static entries. TCP flows are actually easier to
deal with since those can be distributed across cpus using the standard
distribution hash that the TCP protocol stack uses. Other dynamic
entities might be more difficult.
Generally speaking it's far easier for us to adapt these inherently
uni-processor filter engines to DragonFly then it is for the FreeBSD
developers to adapt them to FreeBSD-5, because we can always funnel
the non-distributable portions of the filter to a single serialized
thread.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Kernel
mailing list