From owner-freebsd-hackers Tue Jan 7 15:04:53 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA18864 for hackers-outgoing; Tue, 7 Jan 1997 15:04:53 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id PAA18848 for ; Tue, 7 Jan 1997 15:04:47 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id PAA10755 for ; Tue, 7 Jan 1997 15:05:34 -0800 (PST) Received: (qmail 6677 invoked by uid 110); 7 Jan 1997 23:04:06 -0000 Message-ID: <19970107230406.6676.qmail@suburbia.net> Subject: Re: FreeBSD as a cleanwall In-Reply-To: <199701072210.AAA13560@katiska.clinet.fi> from Heikki Suonsivu at "Jan 8, 97 00:10:32 am" To: hsu@clinet.fi (Heikki Suonsivu) Date: Wed, 8 Jan 1997 10:04:06 +1100 (EST) Cc: hackers@freebsd.org, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Is there anything which ipfw does but bpf does not, other than better > performance ? > > How much more bpf consumes cpu than ipfw, per packet filtered, per rule ? > > -- > Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi > mobile +358-40-5519679 work +358-9-43542270 fax -4555276 > The two are not really compariable. If I was going to write a packet filtering system from scratch, I'd take most of Darren's code and add: query optimisation and grammer from libpcap fast masking from RMON my socket credential code Bpf primarily exists to cut down kernel<->user space talk, and I don't think it is useful elsewhere, except as a slow portable low-level substrate. Some RMON (one?) system(s) have support for bpf code, but except for ip/tcp options and quantitative decisions, fast masks work very well. Cheers, Julian