In message <200412202226.iBKMQAbJ018976@guild.plethora.net>, Peter Seebach writ
es:
>So, BSD/OS had a thing called ipfw, which was totally unlike FreeBSD's.
>
>It had a couple of major features.
>
>One was that it had an actual language, complete with nested conditionals,
>which compiled to moderately optimized BPF code.
>
>Another was that it had multiple points at which a filter could be applied.
>So, instead of writing a single unified filter which has to take all
>circumstances into account, you could write multiple filters.
>
>Filters could go at any of the following points:
>	pre-input (the raw wire seeing a packet)
>	input (a packet is actually directed to this machine)
>	forward (a packet is being forwarded)
>	output (a packet has been generated by this machine)
>	pre-output (a packet is about to hit the actual wire)
>
>(The last name is confusing.)
>
>So far as I can tell, none of the existing tools (ipfilter, PF, FreeBSD's
>ipfw) are as cool as this was.
>
>So... I doubt Wind River is going to let that code go anytime soon, but I'm
>wondering, would people be interested in this?  It's actually not that much
>work, once you've had the ideas.  The flexibility makes it possible to easily
>write filters which are at least hard, and maybe even impossible, with some
>of the other filtering tools out there.
>
>Any interest?
>

Count me as interested.

		--Steve Bellovin, http://www.research.att.com/~smb