Re: cvs commit: src/sys/conf files options src/sys/contrib/ipfilter/netinet ip_fil.c ip_fil.h src/sys/i386/conf GENERIC LINT src/sys/netinet ip_input.c ip_output.c ip_var.h src/sys/netinet6 ip6_forward.c ip6_input.c ...

[Richard Coleman <richardcoleman@xxxxxxxxxxxxxx>]

Max Laier wrote:
>  >     Making PFIL_HOOKS default in the kernel leads to some perf. loss
>  >     in the general case which we don't want to happen.  One way of
>  >     solving this problem is to create extern pfil_hook_ pointers
>  >     which are tested for by the ip_input/ip_output code, and if the
>  >     pointers are not NULL, then they are called; similar to the way
>  >     it is done with the NetGraph code.
>
> All the overhead required now comes from the required function call to 
> pfil_run_hooks(), which would be eliminated if the compiler/linker 
> allows inlining external objects. With your suggestion you will impose 
> additional overhead (though testing a pointer isn't that expensive) to 
> the pfil case. I do agree however, that there might be better ways to 
> handle this. Loading pfil_hooks as a seperate module isn't that good IMO.
>
>  >     This way, we can load the PFIL_HOOKS functionality as a module
>  >     and also have the packet filtering work.  I do not have any
>  >     patches for this at the moment, but this is the general idea
>  >     that was agreed upon, but no one got around to do it.
>
> Can you point me at the discussion in current@, please? Must have missed 
> it and can't find it atm :-\

The discussion on FreeBSD-hackers today leads me to believe the 
PFIL_HOOKS will be turned on in FreeBSD-5.3 by default.  Then ipf and 
ipfw will work out of the box (as modules).

Richard Coleman
richardcoleman@xxxxxxxxxxxxxx