Subject: Re: transparent filtering and bridge(4)?
To: Bill Squier <>
From: Steven M. Bellovin <>
List: tech-net
Date: 03/08/2002 14:55:51
In message <>, Bill Squier writes
>On Thu, Mar 07, 2002 at 12:26:48PM -0500, Thor Lancelot Simon wrote:
>> On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
>> >
>> > Even so, that's a lot of machine-dependent code in the kernel.  It 
>> > doesn't really strike me as the way to go.  As I said, we already 
>> > permit LKM; is there an incremental risk?
>> Well, one problem is that lots of firewall configurations effectively
>> *don't* permit LKMs, at least not without a manual, attended reboot to
>> get the LKMs loaded.
>> What about:
>> 1) Signed BPF->C->object code toolchain, which signs its output
>> 2) Kernel allows signed "BPF modules" to be loaded while running.
>> Now you are at the mercy of bugs in your BPF compiler, but otherwise just
>> as safe as you were before; the same situation you'd be in if you put the
>> BPF translator in the kernel.
>BPF is small and restricted enough that you might have a chance of proving
>safety properties of the compiled code.
Might be an interesting use for proof-carrying code.

		--Steve Bellovin,
		Full text of "Firewalls" book now at