Subject: Re: your packet filter thang...
To: Chris G Demetriou <Chris_G_Demetriou@LAGAVULIN.PDL.CS.CMU.EDU>
From: Darren Reed <email@example.com>
Date: 03/03/1995 10:55:23
In some email I received from Chris G Demetriou, they wrote:
> The only significant different would be that logging would be done
> different: in particular, the 'master's for input and output would
> only control passing and blocking packets, not logging them; to log
> them, you'd use a listener on a normal BPF device, set up to listen
> on the "up-stream" (before blockage) side of the blocker.
In some cases, I only want to log a blocked packet...and only if it
matches that rule. To use normal BPF for this would be to filter the
packet twice, which is reducing performance...
> I don't see how your "block quick" entries are different than they
> would be if they were just "block" -- if i did, i could do a quick
> conversion for you right now...
If a packet matches "block quick", it doesn't check the packet against
any more rules, and returns "block". Just "block" sets the pass-block flag
to block and continues looking for more matching rules.
> also, we still don't know a lot about your filtering implementation:
> how _large_ is it? i.e. how many lines of code? how many bytes of
> source? how many bytes of object code?
(borromini:~/src/fil) wc ip_fil.c mln_ipl.c
621 1995 12579 ip_fil.c
174 457 3651 mln_ipl.c
127 450 3210 ip_fil.h
922 2902 19440 total
Type Id Off Loadaddr Size Info Rev Module Name
DEV 0 113 f8669000 0018 f866d030 1 ipl
compiled with -g:
(candella:~/src/fil) size if_ipl.o
text data bss dec hex
10136 240 8192 18568 4888
(candella:~/src/fil) ll !$
-rwx--x--x 1 darrenr 501 72018 Mar 3 10:49 if_ipl.o*
147k of source, including manual pages, but this includes bits so it works
on SunOS too.