[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf



Then you're not exactly putting your _packet filter_ in _userspace_,
are you?

What you are talking about is an API for a policy daemon to feed
dynamic rules to a kernelspace packet filter. Similar to ipf -F a -f
/etc/ipf.rules -E, but running constantly, and somehow "smarter".

jeff

> > The reason you _don't_ put a packet filter in userspace is that a
> > context switch is added for each packet that traverses the firewall.
> 
> Not necessarily. If you are making your accept/reject decisions on
> 'connections' rather than packets, then user-space policy becomes more
> manageable and much more desireable.
> 
> -d
> 
> -- 
> | Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
> | http://www.mindrot.org          /   distributed filesystem'' - Dan Geer
> 

-- 
Jeff Bachtel  (root@ISC,TAMU)    http://www.cepheid.org/~jeff
				 [finger jeff@cepheid.org for PGP key]