| |||||||||||||
Van Jacobson's network channelsVan Jacobson's network channelsPosted Feb 1, 2006 11:00 UTC (Wed) by james (subscriber, #1325)In reply to: Van Jacobson's network channels by ernest Parent article: Van Jacobson's network channels Presumably you can do a lot of security when you set up the channels. It looks like the packet classifier: reads the protocol, ports, and addresses to determine the flow ID and uses this to find a channel(Dave Miller's blog). That looks like it's enough for most firewalling: it should give you pass (existing channel), fail (no channel), or needs more work (channel to netfilter).
(Log in to post comments)
Van Jacobson's network channels Posted Feb 1, 2006 20:00 UTC (Wed) by NAR (subscriber, #1313) [Link] I'm not sure I fully understand this, but it seems that these channels are used when there is a socket to the user space, i.e. an application running on the host sends/receives data to/from the network. But what about the case when there's no application? As far as I know, in routers the IP packets usually don't get to user space, but if protocol processing is moved to user space (netfilter), it might degrade performance, mightn't it?
Van Jacobson's network channels Posted Feb 2, 2006 5:45 UTC (Thu) by xoddam (subscriber, #2322) [Link] The phased implementation described only moves packet processing touserspace at the very last stage. At the 'ends' of the network this is appropriate for efficiency. But even before that stage, channels are a better way to pass packets around within the kernel. The task-oriented interface (using wakeups instead of soft interrupts) would probably mean netfilter no longer runs in tasklet context. We might instead see several netfilter kernelspace daemons (like kswapd and friends), one for each CPU.
Van Jacobson's network channels Posted Feb 2, 2006 9:57 UTC (Thu) by NAR (subscriber, #1313) [Link] Wouldn't it lead to code duplication? For example, a box doing NAT would need a (limited?) TCP/IP implementation in kernel space, while the host running e.g. an FTP client would need the full TCP/IP implementation in user space.
Van Jacobson's network channels Posted Feb 2, 2006 23:56 UTC (Thu) by xoddam (subscriber, #2322) [Link] > Wouldn't it lead to code duplication?Yes. So does inlining :-)
Van Jacobson's network channels Posted Feb 2, 2006 21:46 UTC (Thu) by iabervon (subscriber, #722) [Link] I don't see any reason that all of the channels would have to go to userspace. If a packet is to a kernel NFS client, it would end up in the kernel code, but without all the copies between the network and the VFS.
Of course, the kernel would have to keep a TCP implementation, but that's not surprising, since static binaries that use sockets should continue to work.
|
|||||||||||||