[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

To: Damien Miller <djm@mindrot.org>, tech@openbsd.org
Subject: Re: ipf
From: Jeff Bachtel <sebastion@irelandmail.com>
Date: Wed, 30 May 2001 00:27:09 -0500
Content-Disposition: inline
References: <20010530001052.T29475@cepheid.nu> <Pine.LNX.4.33.0105301519500.13853-100000@mothra.mindrot.org>
User-Agent: Mutt/1.2.5i

Then you're not exactly putting your _packet filter_ in _userspace_,
are you?

What you are talking about is an API for a policy daemon to feed
dynamic rules to a kernelspace packet filter. Similar to ipf -F a -f
/etc/ipf.rules -E, but running constantly, and somehow "smarter".

jeff

> > The reason you _don't_ put a packet filter in userspace is that a
> > context switch is added for each packet that traverses the firewall.
> 
> Not necessarily. If you are making your accept/reject decisions on
> 'connections' rather than packets, then user-space policy becomes more
> manageable and much more desireable.
> 
> -d
> 
> -- 
> | Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
> | http://www.mindrot.org          /   distributed filesystem'' - Dan Geer
> 

-- 
Jeff Bachtel  (root@ISC,TAMU)    http://www.cepheid.org/~jeff
				 [finger jeff@cepheid.org for PGP key]

Follow-Ups:
- Re: ipf
  - From: Chuck Yerkes <chuck@snew.com>

References:
- Re: ipf
  - From: Jeff Bachtel <sebastion@irelandmail.com>
- Re: ipf
  - From: Damien Miller <djm@mindrot.org>

Prev by Date: Re: ipf
Next by Date: Re: ipf
Prev by thread: Re: ipf
Next by thread: Re: ipf
Index(es):
- Date
- Thread