Re: Firewall performance

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Mike Shaver, sie wrote:
> Darren Reed wrote:
> > In some email I received from David C Niemi, sie wrote:
> > > and there is a special case to do
> > > direct NIC-to-NIC transfers with certain hardware to cut out one of those
> > > DMAs (if I understand NET_FASTROUTE option correctly).
> >
> > So how do you firewall packets which go from one NIC to the other, directly ?
>
> If you turn on firewalling, you don't get fastroute:
>
> CONFIG_NET_FASTROUTE
>   Saying Y here enables direct NIC-to-NIC (NIC = Network Interface
>   Card) data transfers, which is fast.
>
>     *** This option is NOT COMPATIBLE with several important ***
>     *** networking options: especially CONFIG*FIREWALL.      ***

Umm, so what?  This looks dangerously like it's possible to build
a kernel with both CONFIG_NET_FASTROUTE and CONFIG_*_FIREWALL
defined to me.  Maybe I should try this and at least hope for an
error at compile time telling me I'm an idiot.

Last time I looked, Linux kernel config files looked like shell
script files with a bunch of variable settings which got read from
Makefiles.

At least with BSD when you do "config FOO" it runs a sanity check
against options selected in an attempt to determine if you've made
a slip up.  But I digress.

Darren