PERFORCE change 111230 for review
Robert Watson
rwatson at FreeBSD.org
Thu Dec 7 08:28:26 PST 2006
On Thu, 7 Dec 2006, Gleb Smirnoff wrote:
> A> >this isn't a fix. Another application will do write(,, 16k + 1) and
> A> >m_jumbo16pullup() will fail again. Please backout it, it is a hack.
> A> >
> A> >We need to fix TSO in such way that real packets, that will be
> A> >transmitted to wire, will be passed to pfil handlers.
> A>
> A> That is not possible.
>
> ATM this should be at least documented behavior. And a solution should be
> thought, because pfil must see real packets, not their precursors.
This tension will always exist with offloaded services. tcpdump sees
"corrupted" checksums on transmitted packets, and now it sees "long" TCP
packets. Likewise, with reassembly offload, they'll come from the card in a
reassembled form (this is present in the Neterion cards, which can do fragment
reassembly, etc, in hardware, and pass a large datagram up the stack). I
don't see any way of getting around the fact that IP processing happens before
or after the firewall in the New World Order. If a firewall really wants to
see the packets as they will be transmitted, it can always do the
fragmentation and checksumming itself. However, this is pretty undesirable
from a performance perspective. I think pfil seeing the cards as they transit
the IP layer is the right approach.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the p4-projects
mailing list