DragonFly commits List (threaded) for 2003-12
Re: cvs commit: src/sys/conf files options src/sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h src/sys/i386/conf GENERIC LINT src/sys/netinet ip_input.c ip_output.c ip_var.h src/sys/netinet6 ip6_forward.c ip6_input.c ...
Max Laier wrote:
> Making PFIL_HOOKS default in the kernel leads to some perf. loss
> in the general case which we don't want to happen. One way of
> solving this problem is to create extern pfil_hook_ pointers
> which are tested for by the ip_input/ip_output code, and if the
> pointers are not NULL, then they are called; similar to the way
> it is done with the NetGraph code.
All the overhead required now comes from the required function call to
pfil_run_hooks(), which would be eliminated if the compiler/linker
allows inlining external objects. With your suggestion you will impose
additional overhead (though testing a pointer isn't that expensive) to
the pfil case. I do agree however, that there might be better ways to
handle this. Loading pfil_hooks as a seperate module isn't that good IMO.
> This way, we can load the PFIL_HOOKS functionality as a module
> and also have the packet filtering work. I do not have any
> patches for this at the moment, but this is the general idea
> that was agreed upon, but no one got around to do it.
Can you point me at the discussion in current@, please? Must have missed
it and can't find it atm :-\
The discussion on FreeBSD-hackers today leads me to believe the
PFIL_HOOKS will be turned on in FreeBSD-5.3 by default. Then ipf and
ipfw will work out of the box (as modules).