[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf

In message <20010530001052.T29475@cepheid.nu>, Jeff Bachtel writes:
>What would be the security advantage? Packet filters don't parse
>strings, or execve() programs, they filter. And thats it.


>The reason you _don't_ put a packet filter in userspace is that a
>context switch is added for each packet that traverses the firewall.

Turns out this is not really an issue; in the distant past, I did work on a
user-level firewall. Not only it was fast enough, it was trivial to develop as
well. More recently, I've done the same for some research at UPenn. If you
combine it with an in-kernel rule cache it gets even faster.

There are reasons against doing this of course; however, *if* we decide to
roll out something from scratch, a userland firewall may be a very reasonable
first step simply in terms of development ease (it also makes it very natural
to modularize it).