On Tuesday 14 December 2004 15:03, Luigi Rizzo wrote: > On Tue, Dec 14, 2004 at 01:47:35PM +0100, Andre Oppermann wrote: > ... > > > > Implementationwise, the kernel side is evidently trivial as the > > > original code already supports the idea of multiple chains. All > > > you need is to extend the struct ifnet with a pointer to the chain, > > > or use some other trick (e.g. going through ifindex) to quickly > > > associate a chain to the input (and possibly output) interface. > > > > Nonononononononononononononononononononononono. > > andre you need to cool down a bit!
We should all. > i said "use some other trick" exactly to avoid changing > the struct ifnet. All i meant to say is that we want a unique > key, possibly in a small namespace, to quickly locate the per-if > private firewall info. How the key is used is not a business of > the rest of the kernel. But of course if it is an index in a > smallish array (such as ifindex) the thing is fast and clean. Well spoken! Let's just *not* go linux here and have a "hook" on every layer over and over and over again [1] ... because that certainly does *not* help performance. There is always room for optimization *within* the filter. Messing struct ifnet or other parts of the kernel with firewall information is not the way to go. [1] http://fxr.watson.org/fxr/ident?v=linux-2.6.9;i=NF_HOOK -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpLRf5uZGwIu.pgp
Description: PGP signature