Subject: Re: ipfw (ala BSD/OS) and why it was cool
To: Peter Seebach <>
From: Daniel Carosone <>
List: current-users
Date: 12/21/2004 09:34:03
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Dec 20, 2004 at 04:26:10PM -0600, Peter Seebach wrote:
> One was that it had an actual language, complete with nested conditionals,
> which compiled to moderately optimized BPF code.

Hm. There are many ways to do this part, each with pros and cons.

> Another was that it had multiple points at which a filter could be applied.
> So, instead of writing a single unified filter which has to take all
> circumstances into account, you could write multiple filters.

I've long been an advocate for splitting up classification vs
actions. We have a number of places where a generic 'packet
classifier' language would be of use, beyond the current firewalling:
policy routing, ALTQ-like things, IPSEC, various event detectors like
ppp or isdn idle triggers, and no doubt more as new features are

Some of these already have thier own (different, partial) languages or
tools for the purpose, which is obviously wasteful and confusing.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.6 (NetBSD)