Date: Wed, 8 Jan 1997 14:28:17 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: hsu@clinet.fi (Heikki Suonsivu) Cc: avalon@coombs.anu.edu.au, proff@suburbia.net, brandon@cold.org, security@FreeBSD.ORG Subject: Re: FreeBSD as a cleanwall Message-ID: <199701080329.TAA09596@freefall.freebsd.org> In-Reply-To: <199701072210.AAA13560@katiska.clinet.fi> from "Heikki Suonsivu" at Jan 8, 97 00:10:32 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Heikki Suonsivu, sie said: > > Before ipfw cooks coffee, maybe it might be worthwhile to look at combining > functionality of bpf and ipfw, instead of duplicating everything possible > with bpf into ipfw and vice versa. In general it would be better to have > one interface for matching packets which could then be used for anything > (not just firewalling, but bandwidth management, snooping data like bpf now > does, accounting, etc). I assume this would reduce amount of code in > kernel as ipfw matching code could be replaced with calls to bpf? > > Is there anything which ipfw does but bpf does not, other than better > performance ? > > How much more bpf consumes cpu than ipfw, per packet filtered, per rule ? I've looked at doing this in the past and some time in the future, want to make using BPF an option with IP Filter. What BPF provides is the means to create complex filters (and that's about it) in the kernel - primarily for performance boosts with things like tcpdump. BPF is slightly more expensive (performace wise), but better in terms of flexibility. (There have been rumours about a BPF which compiles to machine code, rather than BPF object code, which would negate that arguement but they seem to be still rumours). Things like ipfw/IP Filter deal with not just the packet matching, but dealing with the results of matches, etc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701080329.TAA09596>