[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf



And somehow I get flashbacks of Paul Vixie's screend.
Some kernel mods (a .o file for use using non-opensource OSs)
and a userland processed that made decisions.

Times have moved on, but the context switch rates are pretty
much moot for anyone using a post-1997 machine to firewall
a T1.

Quoting Jeff Bachtel (sebastion@irelandmail.com):
> Then you're not exactly putting your _packet filter_ in _userspace_,
> are you?
> 
> What you are talking about is an API for a policy daemon to feed
> dynamic rules to a kernelspace packet filter. Similar to ipf -F a -f
> /etc/ipf.rules -E, but running constantly, and somehow "smarter".
> 
> jeff
> 
> > > The reason you _don't_ put a packet filter in userspace is that a
> > > context switch is added for each packet that traverses the firewall.
> > 
> > Not necessarily. If you are making your accept/reject decisions on
> > 'connections' rather than packets, then user-space policy becomes more
> > manageable and much more desireable.