[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?



On Wed, Oct 30, 2002 at 11:46:06PM +0100, Daniel Hartmeier wrote:
> On Wed, Oct 30, 2002 at 11:10:18PM +0100, Henning Brauer wrote:
> 
> > Uh well, this sounds like a massive performance penalty... I don't think I
> > like that.
> 
> A lookup in an empty list/tree would of course equal a single pointer
> comparison, so if someone is not using the feature, there's no
> additional cost.
there is, you just wrote it:
> A lookup in an empty list/tree would of course equal a single pointer
> comparison
;-)
> And since the lookup happens after the ordinary state lookup (and only
> if that fails), the cost occurs only per connection, not per packet.
> Compare to the per packet cost of forwarding the connection through
> userland...
well. there is additional cost. we need to take care. we start adding little
nifty features here and there, and for itself they all don't cost much.
a few "doesn't cost much" added together gives a noticeable additional cost.
I question that it can be done secure at all.
Aside from that:
people using ftp-proxy in front of a ftp-server which is not NATed make a
fault. it's not needed.