Re: enabling bridge_ipf

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: enabling bridge_ipf
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 31 Jul 2020 14:07:24 -0400

Maxime Villard <max%m00nbsd.net@localhost> writes:

>> The only reason not to would be if it created a lot more code and made
>> the kernel bigger, or some worry about a few instructions per packet in
>> bridging.  Surely it's just a tiny overhead, and it doesn't really make
>> sense for bridges to be special vs other interfaces.  (If someone wants
>> to compile out PFIL_HOOKS, this should go too.)

I went and read the code.  Hard-enabling BRIDGE_IPF does bring in a
bunch of lines of code, but it doesn't seem that big.   So I don't have
a problem with this.

> PFIL_HOOKS is IPF-specific, not related to bridges, and hard-enabled as far
> as I can tell (ie, not an option).

I don't follow "IPF-specific" as it seems to be an abstract interface to
an arbitrary packet filter.  But agreed that I can find no evidence of
PFIL_HOOKS being optional - I think I am remembering long ago.

>> So my only request is to do a test compile with PFIL off.

> There is no PFIL option available. "pfil" is a small set of functions which
> are unconditionally part of the kernel.

Didn't realize that was non-optional; request withdrawn.

References:
- enabling bridge_ipf
  - From: Maxime Villard
- Re: enabling bridge_ipf
  - From: Greg Troxel
- Re: enabling bridge_ipf
  - From: Maxime Villard

Prev by Date: Re: enabling bridge_ipf
Next by Date: is tcp flow control broken in -current
Previous by Thread: Re: enabling bridge_ipf
Next by Thread: Applying the inet6 ND state engine to inet4
Indexes:

Home | Main Index | Thread Index | Old Index