From owner-freebsd-hackers Thu Apr 23 06:37:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA00301 for freebsd-hackers-outgoing; Thu, 23 Apr 1998 06:37:06 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA00263 for ; Thu, 23 Apr 1998 06:36:47 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id NAA00648 for ; Thu, 23 Apr 1998 13:36:41 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id PAA03232; Thu, 23 Apr 1998 15:36:41 +0200 (MET DST) Message-ID: <19980423144259.57155@follo.net> Date: Thu, 23 Apr 1998 15:36:41 +0200 From: Eivind Eklund To: hackers@FreeBSD.ORG Subject: Re: changing ipfw interface (was Re: cvs commit: src/sys/netinet ip_fw.c) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i X-Mailer: Mutt 0.89.1i In-Reply-To: <9804231217.AA01806@avalon.reed.wattle.id.au.>; from darrenr@reed.wattle.id.au on Thu, Apr 23, 1998 at 10:12:54PM +1000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Apr 23, 1998 at 10:12:54PM +1000, darrenr@reed.wattle.id.au wrote: > In some email I received from Eivind Eklund, sie wrote: > [...] > > Well, what do you think? > > To me, it seems that it is effectively duplicating the BPF code, I don't understand why you see this change as really related to BPF. This is _not_ in any way duplicating BPF - this is just another way of passing the IPFW rules over the userland/kernel boundary. You could of course do most pure filtering using BPF instead of having IPFW and ipfilter at all; I'd say that's a different discussion. > plus you'd have a much more flexible solution with BPF and less > "extra code" in the kernel. Depending on how generic you want the outlined interface to be. It can be kept at the 'least generic level' as it is now, or propagated upward to be a gate for interfaces for all programs presently dependent on kernel-only structures (ps et. al). > Of course, maybe you don't want to write an ipfw rule -> BPF > converter :) Actually, something like this is on my long-term TODO-list (but it is impossible to say when I'll get around to it - probably not before 3.0, at least). However, BPF is not a convenient form for modification, and there need to be an interface to make it possible to modify rule lists. The above proposal is to modify the rule lists, which can then be converted to whatever internal form is convenient for optimal rules-processing (and there are a lot of options here, as you certainly know). > Plus, it only solves half of the problem - structure size changing > but not capabilities. If you ever remove a capability, the filter > rules could be screwed. There is no way of addressing capability removal short of propagating them to the user when they apply, and letting the user handle them. This is what the proposed interface do. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message