[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

On Wed, 30 May 2001, Jeff Bachtel wrote:

> What would be the security advantage? Packet filters don't parse
> strings, or execve() programs, they filter. And thats it.
> The reason you _don't_ put a packet filter in userspace is that a
> context switch is added for each packet that traverses the firewall.

Not necessarily. If you are making your accept/reject decisions on
'connections' rather than packets, then user-space policy becomes more
manageable and much more desireable.


| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer