Subject: Re: ipfw (ala BSD/OS) and why it was cool
To: Peter Seebach <seebs@plethora.net>
From: Daniel Carosone <dan@geek.com.au>
List: current-users
Date: 12/21/2004 09:34:03
--0eJIOSMPwREKhP25
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Dec 20, 2004 at 04:26:10PM -0600, Peter Seebach wrote:
> One was that it had an actual language, complete with nested conditionals,
> which compiled to moderately optimized BPF code.

Hm. There are many ways to do this part, each with pros and cons.

> Another was that it had multiple points at which a filter could be applied.
> So, instead of writing a single unified filter which has to take all
> circumstances into account, you could write multiple filters.

I've long been an advocate for splitting up classification vs
actions. We have a number of places where a generic 'packet
classifier' language would be of use, beyond the current firewalling:
policy routing, ALTQ-like things, IPSEC, various event detectors like
ppp or isdn idle triggers, and no doubt more as new features are
contemplated.

Some of these already have thier own (different, partial) languages or
tools for the purpose, which is obviously wasteful and confusing.

--
Dan.
--0eJIOSMPwREKhP25
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBx1NbEAVxvV4N66cRAv0fAJ0S5QdHBqti51o9B7EzSG0wY25uKACdHlnI
K7K9qVfQp7tX5BlFganYw90=
=nb3+
-----END PGP SIGNATURE-----

--0eJIOSMPwREKhP25--