Subject: Re: your packet filter thang...
To: None <email@example.com>
From: Charles M. Hannum <firstname.lastname@example.org>
Date: 03/02/1995 16:09:02
Below is an extract from a current set of packet filter rules I use
to implement a firewall:
How easy would it be to write a BPF set of rules to do the same ?
It would be trivial. It's exactly the sort of thing that the BPF
machine is designed to do.
I might also add, that it is possible, from the filters produced
through what I've written, with not much effort to extract the
filters from the kernel and present them back in a form which looks
exactly the same as what you see above.
As I've already said, you can have an interface like you described
that's managed in a user-level program. That's easy.
How do you currently change (add, delete, reorder) rule sets? Do you
have to delete the add rules before adding new ones? I'd venture that
it would be *preferrable* to have all the rules in some file that I
Plus, of course, the BPF compiler knows how to do some optimization.