Jeremy Harris wrote:
Darren Reed wrote:
Sebastien Roy wrote:
usr/src/uts/common/inet/ip/ip.c
12665: Take this comment however you wish, but personally, I don't like
having two entirely disjoint paths through ip to do forwarding
(one fast
and one slow). This kind of split brained functionality makes it
difficult to integrate features into the stack, which proliferates
complexity. It also makes tracing and debugging difficult. At
the very
least, it would be benefitial to have a single point at which
IPv4 packets
leave the ip module (ip_xmit_v4()). Here, we introduce yet
another place
where a direct putnext() is done. Moreover, it seems like calling
ip_xmit_v4() may not be a performance problem based on the
comment on line
12775.
As a specific instance of why this is a problem, for the pfhooks project
we want to put a hook callout at the boundary between IP and drivers -
ie. just prior to putnext.
Adding more calls to putnext increases the chance that there will be
one where there is a missing call to a hook and thus creating a
security hole.
That only raises the question of why you aren't inserting a Streams
module, so that the existing Streams infrastructure safely takes
away your concern.
That is how it works today. If you look at the overall picture of the
discussions in this forum, you should see a gradual trend of thoughts
about how to move away from being tied to using STREAMS.
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
