Subject: Re: your packet filter thang...
To: Charles M. Hannum <>
From: Darren Reed <>
List: tech-kern
Date: 03/01/1995 22:16:44
In some email I received from Charles M. Hannum, they wrote:
>    With consideration to BPF, without rewriting BPF, it doesn't
>    provide any facility to do anything other than filter packets.
> You haven't explained why.  In particular, adding a logging mechanism
> is almost completely disjoint from the machinery of filtering packets.
>    From my understanding of the BPF, filters are applied/loaded as a
>    "whole set", rather than one at a time and are compiled to work
>    like this.
> What's wrong with this?  I don't see a compelling reason for the
> filter management to be done in the kernel rather than by some
> user-level utility or library.
> The point of using the BPF filtering machinery is:
> 1) it already exists,
> 2) it's quite general, and
> 3) with a relatively simple hack, it can be made very fast.
> I need a good reason to condone adding yet another filtering
> mechanism.  In particular, I will not allow what at least one other
> system has done: having 3 different IP filtering mechanisms used by
> different utilities.

Fair enough.

My objections to using BPF are few, as I agree with most of the sentiments
you have, especially (1) and (2) (I don't know enough about it to know what
needs doing for "speedups").


Firstly, I don't see why changing the filtering rules currently in use
should require you to reload the entire ruleset.  To change a single
rule then requires you to `disconnect' from the network (ifconfig down),
remove the BPF rules, load a new set, and ifconfig up.  I don't object
to having to use a user-utility to compile the rules, just that it appears
to need to work on the ruleset as a whole.  Not even cisco routers require
you to do this...the idea being you can perform ongoing maintenaince
without effecting the operation of the network in general.

The ability to log (and thus monitor) packets going through a 'router'
which is acting as part of a firewall, is essential, in the view of many,
including myself.  Although this could (conceivably) be done through
just ordinary use of the BPF, being able to log the result(s) of the
filters on the packet is just as useful.

So whilst I see BPF as being good and flexible in what it can do, it
isn't quite as flexible in how it can be used :-( - IMO and based on
what I know about how it works.