On the distinguished day of Apr 10, itojun@iijlab.net wrote:

> >I'm curious to know if there is a reason that the BPF interpretor in the
> >kernel is not also used for security purposes.  It certainly would be
> >simple enough to pair a (user-space) compiled BPF program with an action
> >(e.g. ACCEPT, DISCARD, REJECT, etc) and evaluate a per-interface list of
> >these programs upon packet-input.  It would be nice to be able to use
> >pcap for filter expressions (symmetry with tcpdump).  I suppose it might
> >not be as efficient to use BPF for this, and of course it doesn't handle
> >NAT, stateful filtering etc., but I'm curious to know if there are other
> >reasons not to do it.
>
> 	BSDi BSD/OS uses BPF as packet filter engine.  there's some chance
> 	we can make it freely-redistributable (by asking them nicely - i
> 	got a offer one time)

Yes, actually I noticed this earlier when working with BSDi ipfw.  When I
look at the NetBSD source, it looks like a simple feature to support using
what we already have: link our ipfw with pcap, pcap_compile() rule
arguments, pair each filter with an action and an interface, and evaluate
on packet input.

-bp
--
# Software Engineer