Re: Patch: accept filters for NetBSD

[Elad Efrat <elad%NetBSD.org@localhost>]

Thor Lancelot Simon wrote:
> On Tue, Jan 29, 2008 at 12:36:27PM +0200, Elad Efrat wrote:
> > I'm sorry, but this whole thing looks very dodgy to me. :/ There's just
> > something disturbing about putting string parsing in the kernel network
> > stack.
>
> Well, you don't have to use it; it is a per-socket option, after all.

Obviously I don't, but others do, and I'm merely raising a general
concern saying "let's give this a bit more though" given my -- and I
presume others' -- experience with fun things that can happen due to
improper string handling and/or bugs in privileged code paths. ;)

> > What's the motivation of adding the accept filters? I understand one may
> > be performance -- are there any relevant benchmarks? Is it possible to
> > hear more about why this is necessary, and what are planned future
> > extensions, if any?
>
> It is not necessary.  It provides an opportunity to optimize the processing
> of certain application-layer protocols (the ones that like to make a lot
> of connections at once)

I'm afraid I don't agree benchmarks are unnecessary. You are introducing
code to the kernel's networking stack, specifically one that will be
used by high profile services. In the OpenSSH world, a bug in the code
you are adding would be considered a pre-auth bug. These are not fun in
services, much less in the kernel.

All I ask for is information about the pros and cons of this feature, to
allow others make the trade off they want based on real data.

> without moving the entire protocol into the kernel,
> which you would presumably object to much more (talk about string parsing
> in the kernel! :-)).

That's where I'm afraid we'll end up. :)

> This is one of those features that has been in FreeBSD for about a decade
> but was just never noticed by us over here on the NetBSD side of the fence.
> Apache and a few other things can use it, but most of the code that uses
> it heavily probably is proprietary code belonging to device vendors -- I
> know mine is.

I've only seen mentions about Apache. Honestly, it seems this feature
was pushed by Yahoo! who used FreeBSD Apache servers in 2000. Are we
sure today's reality matches that of ~8 years ago?

Again, the best way to make it clear what this feature provides are
benchmarks, as this is what it aims to provide...

> I think it is better for NetBSD to not diverge from FreeBSD in this sort
> of area if we can arrange not to.

        "It is a duplicative and bogus API and I am glad it
         is not present in NetBSD, where we provide a way to get the
         same or better performance characteristics without requiring
         use of a nonstandard and ill-conceived extension."

In a thread starting at:

http://mail-index.netbsd.org/netbsd-users/2007/02/27/0012.html

;)

More seriously, though, I would appreciate if you could not only say
adding this optimizes something, but actually show it does.

> I don't have any benchmarks immediately available that I can release but
> I'm adding support for this to inetd, which should provide a useful
> demonstration and an opportunity to get some quick numbers.  I hope that's
> helpful.

Is inetd the "intended" use for this feature? (see above about Apache)

> > FWIW, a quick search didn't come up with any benchmarks nor discussions
> > in the FreeBSD archives. Maybe it was too quick? :)
>
> Probably -- the feature is quite old.

It was introduced in 2000, but I think the mailing list archives on the
FreeBSD website are from 2003. Do you have pointers to any discussions?

(maybe this would be a good opportunity to have some benchmarks and post
them online -- if the original discussion had them and is now lost?)

Thanks,

-e.