[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf vs ASIC firewalls

I was asking this in MISC but recieved no answers:
 was just wondering if OBSD is doing routing+filtering in a single
context switch?
So I read in "Implementing TCP/IP" that in the BSD the ethernet
interrupt handler is using schednetint. schednetint is using softintr
in machdep.c
The only assembly I know in PC is the 8086.
So does softisr generated context switch?
(The reason I ask it was because i read "Inside cisco IOS about fast
switching. They describe it as a method to route in a single
interrupt. Since i dont have cisco code, I wanted to learn how other
OS doing that. The "tcp/ip implementation"  is about BSD, so i post my
question here)
On Thu, 17 Mar 2005 12:37:01 +0100, Henning Brauer <[email protected]> wrote:
> * Jim Fron <[email protected]> [2005-03-17 08:46]:
> > On Mar 14, 2005, at 2:26 PM, Mike Frantzen wrote:
> > >>Could Someone please tell me the advantages of PF against Firewalls
> > >>using the ASIC technology in terms of Security and perfomance??
> > >Many (most? all?) vendors shipping what they call ASIC firewalls are
> > >actually running software on a network processor (NPU). The benefit is
> > >that most NPUs will process packets in real-time so if they claim to
> > >support X gigabit per second then they can probably sustain that even
> > >with minimum sized 64byte ethernet frames;
> > You think?  I've been a bit curious about this, especially in the
> > low-end ("cheap") consumer-grade hardware.
> Mike was obviously not talking about low-end stuff.
> well, this entire thread is not about low-end shitz
> > I have no idea if the BSD's--or any general-purpose host OS, for that
> > matter--will, for example, prevent logging to disk during bursts of
> > traffic.  Perhaps there's a kernel option for priority of servicing
> > i/o.
> (almost all of the) logging happens in userland
> > All of that said, I wonder if there isn't some way to implement
> > something vaguely PF-ish in an FPGA that would allow more control over
> > the rulesets than an off-the-shelf ASIC.
> there likely is...
> I mean, state table and state table lookups in hardware, hand off
> ruleset processing to the main CPU, that would rock. If done right.
> --
> Henning Brauer, BS Web Services, http://bsws.de
> [email protected] - [email protected]
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
Best regards,