[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: Porting proxies/ALGs into to the kernel
From:       "Travis H." <solinym () gmail ! com>
Date:       2006-07-26 6:57:02
Message-ID: d4f1333a0607252357t3eaf7a6ajbad6a9ae631fbc4c () mail ! gmail ! com
[Download RAW message or body]

On 7/25/06, samba <samba@embeddedinfotech.com> wrote:
> a) Would it not be a big overhead to move packets to and fro the user
> space and kernel space. Also considering my case where the box is memory
> constraint, so i would want to keep the number of user spaces
> process/tasks to a minimum.

Yes, crossing the kernel/user boundary is expensive, and that's why
things like BPF exist, to do the filtering in kernel space and only
passing matches to userspace (libpcap).

> b) Would it be a good idea to port the ALGs into the kernel, the way
> IPFILTER or Netfilter does it.

Depends on what you mean by "good".  Certainly it would be more
efficient, but you pay a price in stability -- an error in the code
stands a good chance of crashing the machine.  I suspect you'll also
find memory management in kernel space a bit trickier than userland.

Your questions hint at a fairly ambitious project, are you an
experienced kernel coder?  If not, it may be too ambitious.  If I were
you, I'd do the development under VMWare or something like that,
because you'll be crashing a lot, and it's somewhat difficult to
diagnose kernel errors if you're not in a virtual machine, not to
mention the annoying bit about waiting for it to reboot each time you
discover a new error.

I don't have any hard numbers on it, but 32MB is pretty small.  You'll
probably be doing a lot of work just to keep the memory footprint
small enough.  If you decide to go this route, I humbly suggest you
write the ALGs as userland processes first, and then see if you can
shrink them down and move them into kernel space.  You may find that
there's just no way to cram them into 32MB, and save yourself a lot of
work by reaching that conclusion earlier.
-- 
"if you're not part of the solution, you're part of the precipitate"
Unix "guru" for rent or hire || http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

[prev in list] [next in list] [prev in thread] [next in thread]