Exactly! An idle TCP connection costs you nothing except the state that
Would you mind reading my response, too, and then informing me of your
opinion?
Not only that, but if you look at the amount of state something like
iptables on Linux needs to keep in order to provide NAT capabilities it
becomes a complete toss.
You seem to be extremely out of the field with respect to what iptables
does and how normal NAT is implemented on a *BSD system (which was my
example). FreeBSD doesn't have iptables at all. Stateful packet filtering
is done by the _optional_ pf loadable kernel module (kld, in *BSD-speak)
specifically created to meet OpenBSD's security requirements and NAT is
done by natd, a tiny daemon. Simpler firewalls are often implemented using
ipfw (now ipfw2).
Iptables provides very sophisticated routing and filtering capabilities.
It's used as a back-end for stateful inspection, packet rewriting, logging,
routing, intrusion detection, and firewalling applications. That's NAT...
plus one million other applications. I'm unclear as to what "amount of
state" iptables needs to keep that makes imported /net a "complete toss"
assuming you can magically make /net provide the same functionality
netfilter does.
Also, neither you nor anyone else have addressed the question of port
forwarding using an imported /net. Now I'm curious: do any of you 9fans
have an internal network behind a gateway that runs Plan 9? In case you do,
I'll be grateful if read about the configuration of your network(s).
--On Friday, November 14, 2008 8:12 PM -0800 Roman Shaposhnik <[EMAIL PROTECTED]>
wrote:
On Nov 13, 2008, at 8:55 AM, sqweek wrote:
I understand that if you import a gateway's /net on each computer
in a
rather large internal network you will be consuming a huge amount
of mostly
redundant resources on the gateway. My impression is that each
imported
instance of /net requires a persistent session to be established
between the
gateway and the host on the internal network. NAT in comparison is
naturally
transient.
I'm not sure there's as much difference as you make out to be. On the
one hand, you have a NAT gateway listening for tcp/ip packets, and on
the other hand you have an open tcp/ip connection and a file server
waiting for 9p requests. It's not as though 9p is wasting bandwidth
chatting away while there's no activity, so the only cost is the
tcp/ip connection to each client on the network, which shouldn't
qualify as a huge amount of resources.
Exactly! An idle TCP connection costs you nothing except the state that
is kept by the kernels of the two connected end points. No packets
ever get generated unless there's an application level payload that
needs to be transferred. Not only that, but if you look at the amount
of state something like iptables on Linux needs to keep in order
to provide NAT capabilities it becomes a complete toss. With Plan9
as a gateway you're not paying a visible extra premium.
Thanks,
Roman.
