> To stop packets you might otherwise wish to allow/disallow from passing
> through whilst there are no filtering rules loaded ?  Whist it isn't
> strictly necessary, if you care enough about your filtering, then if
> you have to remove them all, you don't want any packets passing which
> might otherwise be acted upon.  Of course, this assumes that by default
> packets are being allowed through.

The thoughts of "atomic update" or "atomic replacement" come to
mind...  8-)  This isn't a hard problem to solve.

> I guess if you wanted, you could allow for two "programs" to be resident
> in memory (for BPF) for both input and output, on each interface (total
> of 8 for a dual interface "firewall" host) and switch between the two.
> (I assume this is what you are getting at above).  So long as it was
> possible to support this, it'd alleviate the problem.

Actually, the fact that you need that many filters indicates to me
that the job of writing the "master filter" would be a bit tougher...
but i think it could still be done with a few (minimal) modifications
to BPF.  (basically, also pass "interface pointer" and "in/out" up to
BPF, etc.)



chris