Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 8 Jan 1997 14:28:17 +1100 (EDT)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        hsu@clinet.fi (Heikki Suonsivu)
Cc:        avalon@coombs.anu.edu.au, proff@suburbia.net, brandon@cold.org, security@FreeBSD.ORG
Subject:   Re: FreeBSD as a cleanwall
Message-ID:  <199701080329.TAA09596@freefall.freebsd.org>
In-Reply-To: <199701072210.AAA13560@katiska.clinet.fi> from "Heikki Suonsivu" at Jan 8, 97 00:10:32 am

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Heikki Suonsivu, sie said:
> 
> Before ipfw cooks coffee, maybe it might be worthwhile to look at combining
> functionality of bpf and ipfw, instead of duplicating everything possible
> with bpf into ipfw and vice versa.  In general it would be better to have
> one interface for matching packets which could then be used for anything
> (not just firewalling, but bandwidth management, snooping data like bpf now
> does, accounting, etc).  I assume this would reduce amount of code in
> kernel as ipfw matching code could be replaced with calls to bpf?
> 
> Is there anything which ipfw does but bpf does not, other than better
> performance ?
> 
> How much more bpf consumes cpu than ipfw, per packet filtered, per rule ?

I've looked at doing this in the past and some time in the future, want to
make using BPF an option with IP Filter.

What BPF provides is the means to create complex filters (and that's about
it) in the kernel - primarily for performance boosts with things like
tcpdump.

BPF is slightly more expensive (performace wise), but better in terms of
flexibility.  (There have been rumours about a BPF which compiles to
machine code, rather than BPF object code, which would negate that
arguement but they seem to be still rumours).

Things like ipfw/IP Filter deal with not just the packet matching, but
dealing with the results of matches, etc.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701080329.TAA09596>