In some email I received from Jason R Thorpe, sie wrote:
> On Fri, Dec 29, 2000 at 05:09:56PM +1100, Darren Reed wrote:
> 
>  > There are a number of other implementations of this already.  I believe
>  > one was presented at BSDcon by Bill Fumerola, there's another in the "next"
>  > version of IP Filter...be interesting to see how they all stack up.
> 
> Fumerola's filter and your IP Filter are tied to IP (v4/v6), yes?

I don't know about Fumerola's, but given it is for ipfw, then I would say
so.  At this point, the work I've done for IP Filter is ipv4 only but
shouldn't be too hard to make it do ipv6.

> If so,
> that's still sub-optimal for my application.  But, yes, would be interesting
> to see.
> 
> I seem to recall that your version either:
> 
> 	* Compiles, statically, rules into the kernel when you build it.
> 
> 	* Loads already-compiled object code into the kernel.
> 
> The former is pretty sub-optimal,

But quite secure given that they can't be deleted.  Well, you can insert
in front of said rules but some flexibility won't go astray.  As for it
being safe, well, it may not get validated but the automatically generated
code is otherwise just as `safe' as any other kernel C code.

> the latter is generally considered unsafe.

Unsafe by who ?  Lots of people build good firewalls on Solaris.
Whether object code gets loaded into the kernel at runtime, bootup
or generated on the fly, for it to get there in the first place
implies that someone trusts that mechanism.

> By doing synthesis on BPF bytecode, you can have bpf_validate() that
> the code is safe, and then synthesize it into object code.

Whilst bpf_validate() checks bytecode, what checks the resulting
object code for correctness ?

Plus, there's no reason IP Filter couldn't take advantage of that
facility if it were "generic".  Be nice if that facility made it
back into libpcap/BPF so then IP Filter could use it on platforms
besides NetBSD.

Darren