[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf



What would be the security advantage? Packet filters don't parse
strings, or execve() programs, they filter. And thats it.

The reason you _don't_ put a packet filter in userspace is that a
context switch is added for each packet that traverses the firewall.

And the only language to choose for a BSD packet filter is C. That is,
if you want it to be capable of handling linespeed.

(in short, the only thing userland about a firewall should be the
control programs)

jeff

On Wed, May 30, 2001 at 03:05:23PM +1000, Michael Samuel wrote:
> Would a userland API be totally out of the question?
> 
> It would be a major security advantage to have the packet filter
> chroot()ing, then dropping root priveleges.  Not to mention the
> flexability of being able to write a packet filter in any language you
> choose...