From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sat, 15 Nov 2008 12:01:52 -0800 From: Roman Shaposhnik In-reply-to: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-id: <98CCE297-BE54-4ADA-B57D-DB8FE71060BA@sun.com> MIME-version: 1.0 Content-type: text/plain; delsp=yes; format=flowed; charset=US-ASCII Content-transfer-encoding: 7BIT References: Subject: Re: [9fans] Do we have a catalog of 9P servers? Topicbox-Message-UUID: 449e86b4-ead4-11e9-9d60-3106f5b1d025 On Nov 15, 2008, at 3:21 AM, Eris Discordia wrote: >> Exactly! An idle TCP connection costs you nothing except the state >> that > > Would you mind reading my response, too, and then informing me of > your opinion? It would be helpful if you can quote exactly the part on which you are requesting my opinion. >> Not only that, but if you look at the amount of state something like >> iptables on Linux needs to keep in order to provide NAT >> capabilities it >> becomes a complete toss. > > You seem to be extremely out of the field What field? > with respect to what iptables does and how normal NAT is implemented > on a *BSD system (which was my example). I have no knowledge of how NAT is implemented on a *BSD system and thus I can not comment. I am only familiar with Linux implementation. Thus if that's not what you're interested in discussing -- lets stop right now. > Iptables provides very sophisticated routing and filtering > capabilities. It's used as a back-end for stateful inspection, > packet rewriting, logging, routing, intrusion detection, and > firewalling applications. That's NAT... plus one million other > applications. Yes. And that's the NAT that *I* and a million Linux lemming out there are familiar with. Arguing that your OS can do that in a simpler way is as useful as trying to convince Windows users to migrate to Linux 'en masse. > I'm unclear as to what "amount of state" iptables needs to keep After you do something like: # iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE the Linux kernel module called nf_conntrack starts allocating data structures to do its job. I'll leave it up to you to see how much memory gets wasted on each connection. Here's a hint, though: /proc/net/nf_conntrack > that makes imported /net a "complete toss" assuming you can > magically make /net provide the same functionality netfilter does. I have no clue what netfilter does, thus I can't answer your question. I thought the original discussion was dedicated to comparing an overhead that the general purpose NAT box has with an overhead of a Plan9 box from which /net was imported. Since I haven't seen specifics I gave the example of a typical Linux NAT built using iptables. That's the area I'm familiar with. If you're interested in something else -- there are others on the list who might have an opinion. > Also, neither you nor anyone else have addressed the question of > port forwarding using an imported /net. Define port forwarding. And I really mean it: define. Then I can may be offer a bit of functionality on Plan9 that would be capable of fitting your definition. Thanks, Roman.