Re: UVM, UBC, and PF criticisms in comp.unix.solaris

[Darren Reed <avalon@cairo.anu.edu.au>]

In some mail from Generic Player, sie said:
[...]
> And the ping thing lasted for a long time, I don't know when or if it
> ever got fixed, but how exactly would that be a misconfiguration?

The ping thing is not exactly a simple issue although I'm sure it is
from a perspective that doesn't involve thinking about it too hard.

For starters, if you have two hosts, inside, which both want to ping
the same external host, at exactly the same time, what do you do when
you get 1 reply back instead of 2?  Does the firewall get heavy and
put its own data in the data part of the ICMP payload?  What if the
user is sending 0 bytes data?  You can't exactly just add more because
that has an effect on the measurement, however small or big.

Then there are other problems too, such as do you reuse (and adjust) the
same state entry for consecutive ICMP echo packets, adjusting the expected
return ICMP Id# or create a new one & NAT entry for each outstanding one?
What happens when you're ping'ing something that's dead?  Do you end up
with the kernel having 100s of things waiting for replies or do you just
use one and to hell with anything that takes longer than 1sec to reply?

The only answer is to say that NAT is evil.

Darren