Date: Wed, 24 Nov 1999 02:49:48 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net> Cc: Brian Fundakowski Feldman <green@FreeBSD.ORG>, ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW Message-ID: <Pine.BSF.4.10.9911240245250.11412-100000@current1.whistle.com> In-Reply-To: <199911241026.CAA45230@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Nov 1999, Rodney W. Grimes wrote: > > I've finally sat myself down to take the first step in getting the new > > IPFW done. I'll start by listing some of the different ideas I've had, > ... [and lots more good stuff cut to make this short and to the point]... > > > And this would be the object-oriented architecture part. > > > > I'm going to wrap this up since I'm up quite late (well, only 1:30, but > > I'm still a growing person...), and I don't want to start to get too > > incoherent. Thank you for your time and attention with my IPFW ideas, > > and please send comments and ideas to me; heck, I'd love to start > > a long discussion about this, so we can flesh everything out :) > > Have you looked at or though about using the bpf routines in the > kernel? bpf match rules are very powerful, compile to some pretty > fast code, and the code is already written, and it knows about a lot > more than just IP. > > After all, they are probably the ``oldest'' set of filter routines > we have, they have just never been reused to do firewall type stuff > with. The fcode engine even has a jump, though all jumps must be > forward in the fcode, but this is no more restrictive than the current > firewall rule ``skipto'' operation. iThen there is a reference that Garret Wollman pointed out some time ago. a package at MIT called 'DPF' Very cool.. incorporated into the Exokernel. Unfortunatly it uses an in-kernel incremental machine instruction generator so it wouldn't be very portable, however it is apparently blazingly fast. I envision a combination of the structure of ipfw with the compiled speed of DPF. in other th packet falls through an IPFW branching structure until it hits a DPF filter which produces an outcome. > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911240245250.11412-100000>