tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: accept filters for NetBSD

Thor Lancelot Simon wrote:
On Tue, Jan 29, 2008 at 12:36:27PM +0200, Elad Efrat wrote:
I'm sorry, but this whole thing looks very dodgy to me. :/ There's just
something disturbing about putting string parsing in the kernel network

Well, you don't have to use it; it is a per-socket option, after all.

Obviously I don't, but others do, and I'm merely raising a general
concern saying "let's give this a bit more though" given my -- and I
presume others' -- experience with fun things that can happen due to
improper string handling and/or bugs in privileged code paths. ;)

What's the motivation of adding the accept filters? I understand one may
be performance -- are there any relevant benchmarks? Is it possible to
hear more about why this is necessary, and what are planned future
extensions, if any?

It is not necessary.  It provides an opportunity to optimize the processing
of certain application-layer protocols (the ones that like to make a lot
of connections at once)

I'm afraid I don't agree benchmarks are unnecessary. You are introducing
code to the kernel's networking stack, specifically one that will be
used by high profile services. In the OpenSSH world, a bug in the code
you are adding would be considered a pre-auth bug. These are not fun in
services, much less in the kernel.

All I ask for is information about the pros and cons of this feature, to
allow others make the trade off they want based on real data.

without moving the entire protocol into the kernel,
which you would presumably object to much more (talk about string parsing
in the kernel! :-)).

That's where I'm afraid we'll end up. :)

This is one of those features that has been in FreeBSD for about a decade
but was just never noticed by us over here on the NetBSD side of the fence.
Apache and a few other things can use it, but most of the code that uses
it heavily probably is proprietary code belonging to device vendors -- I
know mine is.

I've only seen mentions about Apache. Honestly, it seems this feature
was pushed by Yahoo! who used FreeBSD Apache servers in 2000. Are we
sure today's reality matches that of ~8 years ago?

Again, the best way to make it clear what this feature provides are
benchmarks, as this is what it aims to provide...

I think it is better for NetBSD to not diverge from FreeBSD in this sort
of area if we can arrange not to.

        "It is a duplicative and bogus API and I am glad it
         is not present in NetBSD, where we provide a way to get the
         same or better performance characteristics without requiring
         use of a nonstandard and ill-conceived extension."

In a thread starting at:


More seriously, though, I would appreciate if you could not only say
adding this optimizes something, but actually show it does.

I don't have any benchmarks immediately available that I can release but
I'm adding support for this to inetd, which should provide a useful
demonstration and an opportunity to get some quick numbers.  I hope that's

Is inetd the "intended" use for this feature? (see above about Apache)

FWIW, a quick search didn't come up with any benchmarks nor discussions
in the FreeBSD archives. Maybe it was too quick? :)

Probably -- the feature is quite old.

It was introduced in 2000, but I think the mailing list archives on the
FreeBSD website are from 2003. Do you have pointers to any discussions?

(maybe this would be a good opportunity to have some benchmarks and post
them online -- if the original discussion had them and is now lost?)



Home | Main Index | Thread Index | Old Index