In some email I received from Chris G Demetriou, they wrote:

> The only significant different would be that logging would be done
> different: in particular, the 'master's for input and output would
> only control passing and blocking packets, not logging them; to log
> them, you'd use a listener on a normal BPF device, set up to listen
> on the "up-stream" (before blockage) side of the blocker.

In some cases, I only want to log a blocked packet...and only if it
matches that rule.  To use normal BPF for this would be to filter the
packet twice, which is reducing performance...

> I don't see how your "block quick" entries are different than they
> would be if they were just "block" -- if i did, i could do a quick
> conversion for you right now...

If a packet matches "block quick", it doesn't check the packet against
any more rules, and returns "block".  Just "block" sets the pass-block flag
to block and continues looking for more matching rules.

> also, we still don't know a lot about your filtering implementation:
> 
> how _large_ is it?  i.e. how many lines of code?  how many bytes of
> source?  how many bytes of object code?

(borromini:~/src/fil) wc ip_fil.c mln_ipl.c 
     621    1995   12579 ip_fil.c
     174     457    3651 mln_ipl.c
     127     450    3210 ip_fil.h
     922    2902   19440 total

from modstat:

(candella:~) modstat
Type    Id  Off Loadaddr Size Info     Rev Module Name
DEV       0 113 f8669000 0018 f866d030   1 ipl

compiled with -g:

(candella:~/src/fil) size if_ipl.o
text    data    bss     dec     hex
10136   240     8192    18568   4888
(candella:~/src/fil) ll !$
ll if_ipl.o
-rwx--x--x  1 darrenr  501  72018 Mar  3 10:49 if_ipl.o*

147k of source, including manual pages, but this includes bits so it works
on SunOS too.

darren