On Dec 20, 2004, at 17:37, Peter Seebach wrote:
> Yes.  ipfw does all of this; the same language can be used to accept or
> reject packets, or to classify them into streams, which can be 
> rate-limited,
> and so on.
>
> Really, as of the last release, I was unaware of anything anyone 
> wanted a
> widget like this to do that ipfw didn't do fairly well.  The 
> disappearance
> of the code into Wind River's shiny new Linux strategy is a crying 
> shame.

   I agree with your last statement.  However, the thing that IPFW was 
lacking
was automatic state-keeping.  I can't say "allow UDP responses to UDP
packets that've been output w/i the last minute".  Sans that, and the 
bugs (a
few of which I still have open for 5.1, that I doubt they'll fix), it 
was a *great*
system.  Certainly, a similar system in a much more widely deployed
OS (like NetBSD) with many more developers would likely not suffer
from as much of the "it does the main things well, but X makes it choke"
as IPFW does (currently).

   I'd love to see it.  And, I'm familiar with with predecessor so I can 
compare
and contrast.  ;-)

                                                - Chris