Subject: Re: your packet filter thang...
To: None <email@example.com>
From: Charles M. Hannum <firstname.lastname@example.org>
Date: 03/01/1995 07:10:55
To stop packets you might otherwise wish to allow/disallow from
passing through whilst there are no filtering rules loaded ?
In a word: HUH? Where did I suggest nuking the current filter while a
new one is being loaded? Why do you keep thinking of a particular
implementation which is so obviously broken?
I guess if you wanted, you could allow for two "programs" to be
resident in memory (for BPF) for both input and output, on each
interface (total of 8 for a dual interface "firewall" host) and
switch between the two.
No; what I'm `getting at' is the ability to install a new filter while
the old one is still active. This could mean having two BPF filters
in the kernel for a brief period, but unless you have separate
processes switching all the filters at once (which I'd expect to be an
extremely rare occurance), this still only means having one extra
filter in the kernel at once. And even if by some random chance all
the filters are being switched at once ... so what?