From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sat, 15 Nov 2008 11:21:59 +0000 From: Eris Discordia To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: [9fans] Do we have a catalog of 9P servers? Topicbox-Message-UUID: 43e4ee3e-ead4-11e9-9d60-3106f5b1d025 > Exactly! An idle TCP connection costs you nothing except the state that Would you mind reading my response, too, and then informing me of your opinion? > Not only that, but if you look at the amount of state something like > iptables on Linux needs to keep in order to provide NAT capabilities it > becomes a complete toss. You seem to be extremely out of the field with respect to what iptables does and how normal NAT is implemented on a *BSD system (which was my example). FreeBSD doesn't have iptables at all. Stateful packet filtering is done by the _optional_ pf loadable kernel module (kld, in *BSD-speak) specifically created to meet OpenBSD's security requirements and NAT is done by natd, a tiny daemon. Simpler firewalls are often implemented using ipfw (now ipfw2). Iptables provides very sophisticated routing and filtering capabilities. It's used as a back-end for stateful inspection, packet rewriting, logging, routing, intrusion detection, and firewalling applications. That's NAT... plus one million other applications. I'm unclear as to what "amount of state" iptables needs to keep that makes imported /net a "complete toss" assuming you can magically make /net provide the same functionality netfilter does. Also, neither you nor anyone else have addressed the question of port forwarding using an imported /net. Now I'm curious: do any of you 9fans have an internal network behind a gateway that runs Plan 9? In case you do, I'll be grateful if read about the configuration of your network(s). --On Friday, November 14, 2008 8:12 PM -0800 Roman Shaposhnik wrote: > On Nov 13, 2008, at 8:55 AM, sqweek wrote: >>> I understand that if you import a gateway's /net on each computer >>> in a >>> rather large internal network you will be consuming a huge amount >>> of mostly >>> redundant resources on the gateway. My impression is that each >>> imported >>> instance of /net requires a persistent session to be established >>> between the >>> gateway and the host on the internal network. NAT in comparison is >>> naturally >>> transient. >> >> I'm not sure there's as much difference as you make out to be. On the >> one hand, you have a NAT gateway listening for tcp/ip packets, and on >> the other hand you have an open tcp/ip connection and a file server >> waiting for 9p requests. It's not as though 9p is wasting bandwidth >> chatting away while there's no activity, so the only cost is the >> tcp/ip connection to each client on the network, which shouldn't >> qualify as a huge amount of resources. > > Exactly! An idle TCP connection costs you nothing except the state that > is kept by the kernels of the two connected end points. No packets > ever get generated unless there's an application level payload that > needs to be transferred. Not only that, but if you look at the amount > of state something like iptables on Linux needs to keep in order > to provide NAT capabilities it becomes a complete toss. With Plan9 > as a gateway you're not paying a visible extra premium. > > Thanks, > Roman. >