Re: [networking-discuss] Re: Filtering packets under Solaris

Fri, 07 Apr 2006 09:58:42 -0700 

Darren Reed wrote:





 Hi, after reading the design document, I got couple of questions.

 Please kindly correct me if some of these questions are not even 
applicable.
 From what I understand, there is only one callback can register with 
a particular
 hook at any time. Is original ipf filtering function counted in this 
"one hook"  constraint? And if multiple vendors wants to hook at the 
same point, how do  these filters get chained together? Or this is 
not the intended use-case?
 



Yes, ipf filtering function would be counted as one hook.

We make it this way because we did not have example of how more
than one hook would be active at one time.


One possible application is for load balancing which should happen after 
ipfilter processing.



Some problems we have with multiple vendors at one time are:
- who goes first, second, ...
- how do you control who goes first, second, ...




Microsoft's SIP application API is based on such a scheme. Registered 
function[s] get called on the recieved packet in the specified order and 
there can be multiple



So we decide to make it one-only for now and get input from people
about how they want to use more than one hook.


This is quite a useful framework and IMHO should be extended for use by 
multiple consumers. Of course we have to resolve the ordering issue.


BTW


Do you have some thoughts?


 From the document, there isn't a section about framework support for 
these  hook callbacks. Does the ipf framework provide function/data 
structure for the  hook callback to decide whether or not a packet is 
allowed? If hook callback is  responsible for configuring itself, how 
does it cooperate with original ipf.conf?
 And, is the original best match ipf.conf behaviour still maintained? 
This best  match behaviour is far better than netfilter first match 
one, IMHO.
 



ipf can do many things but not all are yet possible or supported by Sun.
One such thing is to convert ipf.conf into C code, compile that and load
it into the kernel.  So this method could be used to do many different
things but not yet in Solaris.

In Solaris 10 today, ipf does not provide framework for other function
to be called or data structures.

Do you have some ideas about how to make it better?

What would you like to be able to do?

Darren

_______________________________________________
networking-discuss mailing list
[email protected]



_______________________________________________
networking-discuss mailing list
[email protected]






















					Reply via email to