Date: Wed, 8 Jan 1997 00:10:32 +0200 (EET) From: Heikki Suonsivu <hsu@clinet.fi> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: proff@suburbia.net, brandon@cold.org, security@FreeBSD.ORG Subject: Re: FreeBSD as a cleanwall Message-ID: <199701072210.AAA13560@katiska.clinet.fi> In-Reply-To: <199701070514.VAA28796@freefall.freebsd.org> References: <19970106231249.23462.qmail@suburbia.net> <199701070514.VAA28796@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Darren Reed writes:
...
> Jullian, you really should seaparate this functionality out of ipfw.
>
> For the most part, it has no relevance to the orgiinal context of ipfw.
> Maybe you should write ipfws (IP firewall sockets) or similar ? (Makes
> good sense to me ... :-)
Before ipfw cooks coffee, maybe it might be worthwhile to look at combining
functionality of bpf and ipfw, instead of duplicating everything possible
with bpf into ipfw and vice versa. In general it would be better to have
one interface for matching packets which could then be used for anything
(not just firewalling, but bandwidth management, snooping data like bpf now
does, accounting, etc). I assume this would reduce amount of code in
kernel as ipfw matching code could be replaced with calls to bpf?
Is there anything which ipfw does but bpf does not, other than better
performance ?
How much more bpf consumes cpu than ipfw, per packet filtered, per rule ?
> Darren
--
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-9-43542270 fax -4555276
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701072210.AAA13560>