tech-net: Re: Zembu Packet Classifier -- would like to put it in the mainline

Subject: Re: Zembu Packet Classifier -- would like to put it in the mainline
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Jason R Thorpe <thorpej@zembu.com>
List: tech-net
Date: 12/28/2000 22:31:28

On Fri, Dec 29, 2000 at 05:09:56PM +1100, Darren Reed wrote:

 > There are a number of other implementations of this already.  I believe
 > one was presented at BSDcon by Bill Fumerola, there's another in the "next"
 > version of IP Filter...be interesting to see how they all stack up.

Fumerola's filter and your IP Filter are tied to IP (v4/v6), yes?  If so,
that's still sub-optimal for my application.  But, yes, would be interesting
to see.

I seem to recall that your version either:

	* Compiles, statically, rules into the kernel when you build it.

	* Loads already-compiled object code into the kernel.

The former is pretty sub-optimal, the latter is generally considered
unsafe.

By doing synthesis on BPF bytecode, you can have bpf_validate() that
the code is safe, and then synthesize it into object code.

Also, as previously mentioned, my goal is to eventually use this synthesized
code for doing IPsec policy lookups, etc.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>