Date: Wed, 8 Jan 1997 10:04:06 +1100 (EST) From: proff@suburbia.net To: hsu@clinet.fi (Heikki Suonsivu) Cc: hackers@freebsd.org, security@freebsd.org Subject: Re: FreeBSD as a cleanwall Message-ID: <19970107230406.6676.qmail@suburbia.net> In-Reply-To: <199701072210.AAA13560@katiska.clinet.fi> from Heikki Suonsivu at "Jan 8, 97 00:10:32 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Is there anything which ipfw does but bpf does not, other than better
> performance ?
>
> How much more bpf consumes cpu than ipfw, per packet filtered, per rule ?
>
> --
> Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
> mobile +358-40-5519679 work +358-9-43542270 fax -4555276
>
The two are not really compariable. If I was going to write a packet
filtering system from scratch, I'd take most of Darren's code and add:
query optimisation and grammer from libpcap
fast masking from RMON
my socket credential code
Bpf primarily exists to cut down kernel<->user space talk, and I
don't think it is useful elsewhere, except as a slow portable
low-level substrate. Some RMON (one?) system(s) have support for
bpf code, but except for ip/tcp options and quantitative decisions,
fast masks work very well.
Cheers,
Julian <proff@iq.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970107230406.6676.qmail>