From owner-freebsd-security Tue Jan 7 19:29:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id TAA09604 for security-outgoing; Tue, 7 Jan 1997 19:29:22 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id TAA09596 for ; Tue, 7 Jan 1997 19:29:19 -0800 (PST) Message-Id: <199701080329.TAA09596@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA027814097; Wed, 8 Jan 1997 14:28:17 +1100 From: Darren Reed Subject: Re: FreeBSD as a cleanwall To: hsu@clinet.fi (Heikki Suonsivu) Date: Wed, 8 Jan 1997 14:28:17 +1100 (EDT) Cc: avalon@coombs.anu.edu.au, proff@suburbia.net, brandon@cold.org, security@FreeBSD.ORG In-Reply-To: <199701072210.AAA13560@katiska.clinet.fi> from "Heikki Suonsivu" at Jan 8, 97 00:10:32 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Heikki Suonsivu, sie said: > > Before ipfw cooks coffee, maybe it might be worthwhile to look at combining > functionality of bpf and ipfw, instead of duplicating everything possible > with bpf into ipfw and vice versa. In general it would be better to have > one interface for matching packets which could then be used for anything > (not just firewalling, but bandwidth management, snooping data like bpf now > does, accounting, etc). I assume this would reduce amount of code in > kernel as ipfw matching code could be replaced with calls to bpf? > > Is there anything which ipfw does but bpf does not, other than better > performance ? > > How much more bpf consumes cpu than ipfw, per packet filtered, per rule ? I've looked at doing this in the past and some time in the future, want to make using BPF an option with IP Filter. What BPF provides is the means to create complex filters (and that's about it) in the kernel - primarily for performance boosts with things like tcpdump. BPF is slightly more expensive (performace wise), but better in terms of flexibility. (There have been rumours about a BPF which compiles to machine code, rather than BPF object code, which would negate that arguement but they seem to be still rumours). Things like ipfw/IP Filter deal with not just the packet matching, but dealing with the results of matches, etc.