Subject: Re: ipfw (ala BSD/OS) and why it was cool
To: Peter Seebach <email@example.com>
From: Daniel Carosone <firstname.lastname@example.org>
Date: 12/21/2004 09:34:03
Content-Type: text/plain; charset=us-ascii
On Mon, Dec 20, 2004 at 04:26:10PM -0600, Peter Seebach wrote:
> One was that it had an actual language, complete with nested conditionals,
> which compiled to moderately optimized BPF code.
Hm. There are many ways to do this part, each with pros and cons.
> Another was that it had multiple points at which a filter could be applied.
> So, instead of writing a single unified filter which has to take all
> circumstances into account, you could write multiple filters.
I've long been an advocate for splitting up classification vs
actions. We have a number of places where a generic 'packet
classifier' language would be of use, beyond the current firewalling:
policy routing, ALTQ-like things, IPSEC, various event detectors like
ppp or isdn idle triggers, and no doubt more as new features are
Some of these already have thier own (different, partial) languages or
tools for the purpose, which is obviously wasteful and confusing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)
-----END PGP SIGNATURE-----