From owner-freebsd-hackers  Sat May 23 00:35:58 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA13567
          for freebsd-hackers-outgoing; Sat, 23 May 1998 00:35:58 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13557
          for <hackers@FreeBSD.ORG>; Sat, 23 May 1998 00:35:46 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id AAA02175;
	Sat, 23 May 1998 00:28:32 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd002173; Sat May 23 07:28:29 1998
Date: Sat, 23 May 1998 00:28:26 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Darren Reed <avalon@coombs.anu.edu.au>
cc: thorpej@nas.nasa.gov, mike@smith.net.au, lc001@yahoo.com,
        hackers@FreeBSD.ORG
Subject: Re: Questions about Packet Filter
In-Reply-To: <199805230328.UAA22625@hub.freebsd.org>
Message-ID: <Pine.BSF.3.95.980523002604.24959E-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Sat, 23 May 1998, Darren Reed wrote:

> In some mail from Jason Thorpe, sie said:
> > 
> > On Thu, 21 May 1998 16:36:19 -0700 
> >  Mike Smith <mike@smith.net.au> wrote:
> > 
> >  > > 1. Are the ipfilter tools using divert() function that Mike and Dan
> >  > > mentioned available in somewhere? 
> >  > 
> >  > ipfilter is Darren Reed's in-kernel firewall product.
> >  > 
> >  > divert(4) is a FreeBSD-native feature.  It is not, to the best of my
> >  > knowledge, emulated by anything else.
> > 
> > Uh... doens't IP Filter implement a divert(4)-like feature?
> 
> Sort of.  divert(4) provides complete packets through a socket(2)
> interface, so if you want to do NAT or anything else with divert(4),
> you incur the overhead of at least two context switches.

Of course.. that's what it's for!
It's to allow people to write USERLAND processes to do arbtrary procrdding
on packets extracted from a stream and re-insert them back into the
stream.
This was done at the request of people at CSRG who said that they wanted
to see some work we were proposing  'OUT of the kernel and not IN it'.

 > 
> IP Filter does as much as it can inside the kernel, with trapping to
> userland only for authentication of packets..
> 
> Darren
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message