Subject: Re: your packet filter thang...
To: None <darrenr@vitruvius.arbld.unimelb.edu.au>
From: Charles M. Hannum <mycroft@ai.mit.edu>
List: tech-kern
Date: 03/02/1995 16:09:02
   Below is an extract from a current set of packet filter rules I use
   to implement a firewall:

   [...]

   How easy would it be to write a BPF set of rules to do the same ?

It would be trivial.  It's exactly the sort of thing that the BPF
machine is designed to do.

   I might also add, that it is possible, from the filters produced
   through what I've written, with not much effort to extract the
   filters from the kernel and present them back in a form which looks
   exactly the same as what you see above.

As I've already said, you can have an interface like you described
that's managed in a user-level program.  That's easy.

How do you currently change (add, delete, reorder) rule sets?  Do you
have to delete the add rules before adding new ones?  I'd venture that
it would be *preferrable* to have all the rules in some file that I
can edit.

Plus, of course, the BPF compiler knows how to do some optimization.